topic Cisco ISE 3.1 Non-domain Joined Machines in Network Access Control

Cisco ISE 3.1 Non-domain Joined Machines

osman869 — Fri, 19 Aug 2022 16:19:52 GMT

Hello,

I have created a policy for the wired devices. The devices which are connecting to network should act as a non compliant if Posture fails. (this policy is working fine).

The only issue is I don't know how to segregate the domain-joined PCs and non-domain joined PCs in the policy. However the domain joined machines are using root certificates which are already added to ISE.

I just want that a PC which is not domain joined how to make a policy for all the devices.

Thanks in advance.

Re: Cisco ISE 3.1 Non-domain Joined Machines

Walker — Fri, 19 Aug 2022 17:01:38 GMT

How would you want your non-domain joined PC to authorize? Do you want it to look to a different identity store? MAB? We will need additional information.

Re: Cisco ISE 3.1 Non-domain Joined Machines

osman869 — Fri, 19 Aug 2022 17:36:26 GMT

Hi,

Its kind of alien device and we dont have any information about them. On which attributes we can differentiate from domain-joined machines.

So that when an alien devices comes it should go the Guest VLAN without configuring BYOD.

Re: Cisco ISE 3.1 Non-domain Joined Machines

Walker — Fri, 19 Aug 2022 18:14:02 GMT

You can identify your domain computers by using the Certificate authentication conditions, for example "Issuer - Common Name."

If you are looking for computers to gain access without certificates installed, MAB may be your only option. Ensure your profiling policies are in place to properly identify that they are indeed workstations. Within your MAB policy you would then have to set your authorization result to assign the Guest VLAN to anything that falls into that profiling group. I would make sure the Guest VLAN is restricted as much as possible as anyone can now plug in a workstation and be authorized. It should be just enough access for you to access and install certificates.

This is just my way of thinking, I would like to see what other suggestions there are.

Re: Cisco ISE 3.1 Non-domain Joined Machines

thomas — Sat, 20 Aug 2022 15:48:03 GMT

How do you identify your non-domain joined assets? I suspect if they are unjoined then they are not managed and so you fall back to using MAC addresses with MAB. Do you have them in a list such as an ISE endpoint group that you put them into? Or do you treat them all as unknown/untrusted Guests? I suspect you default to Guest. So give them Guest access.