08-21-2023 11:50 PM
Hi team,
I have ISE version 3.1 patch 6 integrated with AD.
*New PC add to AD :
1. Whitelist Mac address of the PC on ISE.
2. Whitelist Mac address of the USB network adapter on ISE.
QA- Do you have another solution to add a new PC to AD without whitelisting?
08-23-2023 12:36 AM
Hi @Thea OEM,
MAC address authentication is usually used only when there is no other way of performing authentication (e.g. dummy device that doesn't support 802.1x like printers, CCTV and similar).
Given that you have AD and ISE, I would advise to migrate from MAB to dot1x authentication, and that way, you don't need to deal with MAC addresses anymore, as you'll do AD join anyway. There are numerous posts an guides on dot1x implementation, so look it up on this community.
Kind regards,
Milos
08-23-2023 07:58 PM
Hello @Milos_Jovanovic
sure, I used 802.1x for pc and MAB for IoT device. when we have new PC need to add AD we plugin to the network to get IP but this PC will not can access to network resource anymore because we set policy condition :
Posture check required : user AD + Ani-malware
+our solution whitelist this pc to add AD first, pc will get AD certificate, Anyconnect agent scan compliance then we removed whitelist back.
My purpose : Find anather sulotion because we don't want whitelisting.
08-24-2023 12:03 AM
If you'r policy is to use whitelisting, then you don't really have much options other to whitelist it.
What you could consider is a different approach then whitelisting. You could use PEAP/EAP-TLS approach - use dual SSID approach - authenticate PC via user credentials, and quarantine it, so it gets neccessary config, such as cert and appropriate WiFi profile, and upon enrollment, it will re-authenticate with cert with full access. Similar can be done for wired access, if needed. This way, if user is using only credentials, he ends up with limited access, and is motivated to complete cert-based authentication.
Kind regards,
Milos
08-24-2023 01:32 AM
Appreciate, thank you for your advice.
08-23-2023 01:58 AM
Most cased in the Corporate Environement PC build using certs - so that can be identified by Local PKI infrastructure to join the Domain.
Do you have 802.1x environment ? why you looking to MAB (is this not standard Build ?)
08-23-2023 08:02 PM
Hello @balaji.bandi
sure, I used 802.1x for pc and MAB for IoT device. when we have new PC need to add AD we plugin to the network to get IP but this PC will not can access to network resource anymore because we set policy condition :
Posture check required : user AD + Ani-malware
+our solution whitelist this pc to add AD first, pc will get AD certificate, Anyconnect agent scan compliance then we removed whitelist back.
My purpose : Find anather sulotion because we don't want whitelisting.
08-24-2023 01:43 AM
You make a different policy for onboarding devices to get basic requirement to join the AD.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide