Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
971
Views
10
Helpful
10
Replies

Known AD Device on network via ISE 2.3

Go to solution
troy.hart
Level 1
Level 1

‎12-13-2018 10:32 AM

Hello all, 

 Troy here and I am new to this. Please excuse some of my grammatical errors.   I am one of the system admin in a school district with over 15000 students and employees. We have Cisco ISE ver 2.3 and have policies in place for each group per ssid. Our ISE is also joined to AD and our users are able to authenticate through ISE to access the network, however, we want to be able to allow only known devices in AD and allow the users' credentials to access the network via wireless 802.1x. We want to avoid unknown devices from access our network if they are not known in AD. How can we write a policy in ISE to work or will we need to stand up an MDM solution?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to troy.hart

‎12-13-2018 08:20 PM

Ok. Today how users are authenticated (for AD joined machine)? Is it a user authentication or machine authentication?
Is this wifi connection, on AD joined computers, setup through a GPO or not?

To only authenticate machines, at some point, you would need to push a gpo to configure the native supplicant to send machine authentication instead of user.
If you want to also have the user authentication as 2nd factor, you can setup MAR or ISE Passive-ID.

Configuring your machines and ISE this way, you can deny user only authentication (connection with non AD joined machines)

Does that make sense?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to troy.hart

‎12-17-2018 08:40 PM

In your policies, the one referring to a computer is disabled. Let's say this one was enabled and authentication method on your Windows is user or machine authentication.
When a corporate machine authenticates (user not logged in), the computer is authorized with permit any.
When the user logs in, the 2nd rule will take effect if user is member of students group.

Now, if a student connect using a non corporate machine, he'll be able to authenticate and get authorized because the rule referring to students group is still active and will give a user a permit any.

To link a user authentication based on a previous machine authentication, you would need:
- eap chaining
- Cisco ISE MAR (ise caching authentication)
- machine authentication + ise passive-id for user second factor.

There are no other ways to avoid a user to authenticate on the network if not using corporate machine.

Is that clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-13-2018 02:24 PM

Hi

Before answering your question, I have questions myself to you. When you say known devices in AD, what does that means, just to be sure?
Do all your students have a laptop joined to AD? Do you create computer objects for just having a MAB object?
Do all your students never connect using their mobile devices (tablets and/or smartphones)? Are these devices somehow in your AD?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
troy.hart
Level 1
Level 1
In response to Francesco Molino

‎12-13-2018 07:29 PM

Hi Francesco,

 

The known devices are AD Joined and we are 1:1 in the district. We have not created policies for MAB Object in ISE. Our students in middle and high schools connects their personal devices to the network that are not AD Joined. We want prevent their ability  to use those devices. What solution do you have and can it be done in ISE? 

 

Thanks,  

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to troy.hart

‎12-13-2018 08:20 PM

Ok. Today how users are authenticated (for AD joined machine)? Is it a user authentication or machine authentication?
Is this wifi connection, on AD joined computers, setup through a GPO or not?

To only authenticate machines, at some point, you would need to push a gpo to configure the native supplicant to send machine authentication instead of user.
If you want to also have the user authentication as 2nd factor, you can setup MAR or ISE Passive-ID.

Configuring your machines and ISE this way, you can deny user only authentication (connection with non AD joined machines)

Does that make sense?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
troy.hart
Level 1
Level 1
In response to Francesco Molino

‎12-14-2018 07:44 AM

Users and machine authenticate based on AD. However our policy is allowing none AD devices to connect even though there is policy set for user and domain computers.  We do not have a GPO setup for AD joined computers for WiFi. The information provided below does make sense. 

 

 

Thanks,

 

Troy

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to troy.hart

‎12-14-2018 09:57 PM

Can you share a screenshot of your ise policies?

I believe you have a rule with a condition matching user group but not a rule with user and machine condition, right?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
troy.hart
Level 1
Level 1
In response to Francesco Molino

‎12-17-2018 11:02 AM

Hi, Francesco

 

I have uploaded a screenshot of the test policy. 

 

 

Troy Hart

Preview file
254 KB
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to troy.hart

‎12-17-2018 08:40 PM

In your policies, the one referring to a computer is disabled. Let's say this one was enabled and authentication method on your Windows is user or machine authentication.
When a corporate machine authenticates (user not logged in), the computer is authorized with permit any.
When the user logs in, the 2nd rule will take effect if user is member of students group.

Now, if a student connect using a non corporate machine, he'll be able to authenticate and get authorized because the rule referring to students group is still active and will give a user a permit any.

To link a user authentication based on a previous machine authentication, you would need:
- eap chaining
- Cisco ISE MAR (ise caching authentication)
- machine authentication + ise passive-id for user second factor.

There are no other ways to avoid a user to authenticate on the network if not using corporate machine.

Is that clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
troy.hart
Level 1
Level 1
In response to Francesco Molino

‎12-18-2018 06:21 AM

Hi Francesco,

 

This is correct. 

To link a user authentication based on a previous machine authentication, you would need:
- eap chaining
- Cisco ISE MAR (ise caching authentication)
- machine authentication + ise passive-id for user second factor.

There are no other ways to avoid a user to authenticate on the network if not using corporate machine.

Is that clear? The above information you provided is what we want to happen. 

 

Thanks,

 

Troy

0 Helpful

Go to solution
troy.hart
Level 1
Level 1
In response to Francesco Molino

‎12-18-2018 06:26 AM

Hi Francesco,

 

With Cisco ISE MAR, will we need the mac address of said devices or could the policy be written to included Ad Joined? 

 

 

Thanks, 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to troy.hart

‎12-19-2018 07:23 PM

With the MAR you can have authentication based on group membership on AD and actually this is the goal because you use this feature to authenticate a machine and then a user (if its machine was authenticated)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents