topic Re: ISE Authorize only Domain Computers in Network Access Control

ISE Authorize only Domain Computers

quadrabe — Fri, 11 Apr 2025 08:13:38 GMT

In ISE we'd like to have a Polcy Set that Authorizes only domain computers.
Now we're using ExternalGroups EQUALS domain/Users/Domain Computers but this does not seem to work.
Other ways like PrimaryGroupID EQALS 515 also do not seem to do the trick for us.

Re: ISE Authorize only Domain Computers

Rob Ingram — Fri, 11 Apr 2025 08:19:36 GMT

@quadrabe is the supplicant configured to perform machine/computer authentication?
Are you using PEAP/MSCHAPv2 or EAP-TLS?
If EAP-TLS are you using a Certificate Authentication Profile and performing a lookup into AD? - example

What do the ISE Live logs indicate for the authentication? Please provide screenshots.

Re: ISE Authorize only Domain Computers

JPavonM — Fri, 11 Apr 2025 08:55:43 GMT

As @Rob Ingram said the supplicant must be configured for Machine auth only, or User or Machine, with the latest one connecting while in the Windows login screen with the machine name, and then with the user credentials after log in.

Additionally, during the authentication phase, you can limit the access to RADIUS Usernames like ".*your.domain.net", but I have seen a problem with few Win11 where they are not sending the full FQDN but only the hostname, so failing to be authenticated unless a backup policy to accept any AD credential would be below.

Re: ISE Authorize only Domain Computers

quadrabe — Fri, 11 Apr 2025 09:03:34 GMT

Yes the supplicant is configured to use machine authentication, we use PEAP/MSCHAPv2.

Re: ISE Authorize only Domain Computers

Rob Ingram — Fri, 11 Apr 2025 10:02:00 GMT

@quadrabe as requested, please provide screenshots of your live logs, this would provide information on how we can determine the problem.

Also provide screenshots of your authorisation rules.

Re: ISE Authorize only Domain Computers

quadrabe — Fri, 11 Apr 2025 10:57:32 GMT

Here is a screenshot.

Re: ISE Authorize only Domain Computers

Greg Gibbs — Mon, 14 Apr 2025 00:12:20 GMT

A screenshot of the Authorization Policy is not enough information. You would need to share detailed information from the Live Logs as @Rob Ingram has suggested multiple times for us to provide any meaningful assistance.

You could be running into an issue with Authentication due to Credential Guard being enabled by MS.

You could be running into group-matching issues if the ISE computer accounts do not have read permission to the 'tokenGroups' attribute.

You can also try using the Test User tool to do a lookup against AD for the computer account and associated groups by using 'host/<computer name>' as the username.

There could be any number of reasons the session is not hitting your authorization policy.