cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

261
Views
0
Helpful
10
Replies
Participant

Auhenticate non domain PCs

Hello, one of my clients would like to use ISE to control network access at a plant. The machines are not joined to AD and users login via local accounts. How can I create an authc policy to ahthenticate those users? Which identity store should be selected in this case? 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Auhenticate non domain PCs

The functionality you are looking for is identity rewrite that strips the machinename or domain before \ and use only username.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01110.html#task_E34DC84405014271B33F6D4E455A441D

 

You can also use MAC authentication bypass and whitelist the MAC addresses in ISE endpoint db.

Depends on what level of access you need for the machine before 802.1x/MAB. You can redirect the machines to do a web authentication and use users in internal db following MAB. Web auth will give you consistent user experiance.(ignore session:posture attribute value)

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01110.html#ID1316

 

Thanks

Krishnan

 

10 REPLIES 10
VIP Advocate

Re: Auhenticate non domain PCs

If they are not AD joined then EasyConnect won't work :-( - but if the devices support 802.1X then you can configure the supplicant to perform 802.1X authentication.  That is independent of whether the device is AD joined or not.

Windows supplicants support machine and user auth.  Other OS's typically only support a user authentication via the supplicant (because these devices are not used my multiple users anyway).

Participant

Re: Auhenticate non domain PCs

And that would be against ISE internal identity store correct?

VIP Advocate

Re: Auhenticate non domain PCs

It doesn't matter.  You can have an AD infrastructure containing Users, but at the same time, none of your computers are domain joined (domain joined means that AD knows about the machine because there is a machine account in the AD directory). 

 

I don't know what your scenario is.  But AD is just a collection of objects (users, computers, etc.) - ISE can search the AD for an 802.1X authentication.  You can also use LDAP or SQL or local ISE accounts.

Highlighted
Participant

Re: Auhenticate non domain PCs

Hi Arne, I created an internal user, and an identity sequence that check the internal user database only. I created test authentication and authorization policies and configured the windows machine dot1x settings. The problem is that the windows machines don't prompt for a login unless there is a local account on the machine. Any idea how can I configure the windows machine to prompt for credentials that are present on ISE?

VIP Advocate

Re: Auhenticate non domain PCs

Hi @NETAD 

I don't understand what you mean by "The problem is that the windows machines don't prompt for a login unless there is a local account on the machine" - every Windows machine has a local account - but the "prompting for credentials" you are talking about is controlled by the Windows supplicant configuration (e.g. for Wired 802.1X you need to enable the Windows Service called "Wired Auto Config" - then you can suddenly see a Security tab under the Ethernet adapter.  This is widely documented all over the place.  Wireless is similar, but the supplicant config is always available for configuration and does not need any special service to run.   www.labminutes.com ...

Participant

Re: Auhenticate non domain PCs

Hi Arne, what I meant was that win10 wasn’t prompting for a login at the lock screen. I got that fixed following this link

https://winaero.com/blog/how-to-make-windows-10-ask-for-user-name-and-password-during-log-on/

My problem is now that when login in on to the laptop ISE is seeing MachineName\username format so it’s not finding a match in the internal user DB. Is there a way to strip the machine name while authenticating so ISE only see the username portion?
Cisco Employee

Re: Auhenticate non domain PCs

Make sure your supplicant is configured to authenticate "User" and not Computer.

Cisco Employee

Re: Auhenticate non domain PCs

The functionality you are looking for is identity rewrite that strips the machinename or domain before \ and use only username.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01110.html#task_E34DC84405014271B33F6D4E455A441D

 

You can also use MAC authentication bypass and whitelist the MAC addresses in ISE endpoint db.

Depends on what level of access you need for the machine before 802.1x/MAB. You can redirect the machines to do a web authentication and use users in internal db following MAB. Web auth will give you consistent user experiance.(ignore session:posture attribute value)

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01110.html#ID1316

 

Thanks

Krishnan

 

Participant

Re: Auhenticate non domain PCs

Thanks. Is there a way to make dot1x prompt for authentication everytime a user logs off? The laptops will not be used by the same user so I need a way for windows to not cache the credentials and prompt upon login off and login on.

Cisco Employee

Re: Auhenticate non domain PCs

If you use 802.1x, when the user logs off, and if you use user authentication, the 802.1x supplicant will typically send a logoff. You need to test this and see if this happens.

 

-Krishnan