https://community.cisco.com/t5/network-access-control/ise-authenticate-local-windows-account/m-p/5130582#M590090 <P>Hello,</P> <P>we are using dot1x close mode authenticating AD machines and users, and we want to be able to authenticte local win account too. (beside user AD domain account).</P> <P>We think to add the local PC admin user account as ISE local user and use that in the authz policy too.</P> <P>Would this work? Do you see any problem with that?</P> <P>Thank you in advance.</P> <P>Regards.</P> Fri, 14 Jun 2024 11:51:34 GMT babalao 2024-06-14T11:51:34Z https://community.cisco.com/t5/network-access-control/ise-authenticate-local-windows-account/m-p/5130582#M590090 <P>Hello,</P> <P>we are using dot1x close mode authenticating AD machines and users, and we want to be able to authenticte local win account too. (beside user AD domain account).</P> <P>We think to add the local PC admin user account as ISE local user and use that in the authz policy too.</P> <P>Would this work? Do you see any problem with that?</P> <P>Thank you in advance.</P> <P>Regards.</P> Fri, 14 Jun 2024 11:51:34 GMT https://community.cisco.com/t5/network-access-control/ise-authenticate-local-windows-account/m-p/5130582#M590090 babalao 2024-06-14T11:51:34Z https://community.cisco.com/t5/network-access-control/ise-authenticate-local-windows-account/m-p/5132275#M590116 <P>You can't do this because ISE has no access to check the endpoints' local user account passwords.&nbsp;</P> <P>I am also not sure that the Windows 802.1X supplicant will perform a user network authentication when that PC is not domain joined. I might be wrong - you should test that. But either way, even if it did, then you will have to add all the local user accounts and their passwords into ISE as Network Access accounts. How do get those passwords without asking each user? Maybe you could come up with some Frankenstein solution to integrate this into ISE via a portal or something - but it cannot guarantee that the user account information in ISE will always represent the local accounts on user machines.&nbsp; That's why we have AD <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sun, 16 Jun 2024 22:21:28 GMT https://community.cisco.com/t5/network-access-control/ise-authenticate-local-windows-account/m-p/5132275#M590116 Arne Bier 2024-06-16T22:21:28Z https://community.cisco.com/t5/network-access-control/ise-authenticate-local-windows-account/m-p/5132790#M590140 <P>Hello,</P> <P>it would be only for the admin local user,and is the same on all PCs.</P> <P>Thank you</P> Mon, 17 Jun 2024 19:12:26 GMT https://community.cisco.com/t5/network-access-control/ise-authenticate-local-windows-account/m-p/5132790#M590140 babalao 2024-06-17T19:12:26Z https://community.cisco.com/t5/network-access-control/ise-authenticate-local-windows-account/m-p/5132807#M590142 <P>I don't know if Windows perform network authentication on local accounts. Something to test in the lab with a Windows PC - I don't have one available at the moment. The Windows Supplicant must be configured for User and Computer Auth.</P> <P>As far as the ISE Policy Set is concerned, in the Authentication part, you must have an Identity Source Sequence that includes the AD Join Point, and Internal Users. The order is not important, but you should consider which one should be searched first for performance and security reasons perhaps.</P> Mon, 17 Jun 2024 20:28:21 GMT https://community.cisco.com/t5/network-access-control/ise-authenticate-local-windows-account/m-p/5132807#M590142 Arne Bier 2024-06-17T20:28:21Z