topic Re: Role based VLAN assignment needs to add a Domain check in Network Access Control

Role based VLAN assignment needs to add a Domain check

CoryMDubya601 — Thu, 21 Nov 2024 16:52:23 GMT

We have role based VLAN assignment at my company. The issue is that in the current config the users can bring in their own devices, authenticate with their work credentials and then get access to internal resources. My solution is to add a domain check into the authentication policy to verify that the device is joined to the domain. Right now it is just for the Wireless devices. we would like to sent the BOYD non-company owned devices to a specific VLAN. we would like to put the company owned devices on the internal VLAN. I would like help in picking the correct CONDITION to check the domain. The role based policy check works well. I cannot get the domain check to work correctly

Any suggestions?

Re: Role based VLAN assignment needs to add a Domain check

Rob Ingram — Thu, 21 Nov 2024 17:00:51 GMT

@CoryMDubya601 you can perform a domain check using ISE Posture and can check the registry. Registry: - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain Value=<DOMAIN>

You might be better off using EAP Chaining (TEAP or EAP-FAST) on your domain joined computers, which can combine machine authentication and user authentication. Only your domain joined devices would be able to pass machine authentication, so therefore you can assign the appropriate VLAN. If EAP Chaining is not used, i.e., the BYOD devices you'd have a different authorisation rule and assign a different VLAN.

Else use ISE BYOD certificate for the non-company owned assets, therefore you can distinguish between the different connections and apply different VLANS accordingly.

Re: Role based VLAN assignment needs to add a Domain check

ahollifield — Fri, 22 Nov 2024 00:49:22 GMT

Use certificates instead. You should not be allowing unknown/untrusted devices onto the corporate network.

Re: Role based VLAN assignment needs to add a Domain check

CoryMDubya601 — Mon, 02 Dec 2024 19:14:10 GMT

Agreed. Imagine the shock I felt when I saw that these unknown/untrusted devices devices were in the "protected" VLAN. I will research on certificate enablement.

Re: Role based VLAN assignment needs to add a Domain check

Dustin Anderson — Mon, 02 Dec 2024 20:54:08 GMT

Another option is the MAR database. ISE can remember domain computers logged in before the use comes. EAP Chaining is better if your devices support it, but we use the MAR database to verify domain membership.

Re: Role based VLAN assignment needs to add a Domain check

ahollifield — Mon, 02 Dec 2024 21:11:39 GMT

Friends don’t let friends use MAR