Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
282
Views
1
Helpful
6
Replies

assaiging Dynamic VLAN if empoyees or taking personal device

rameshkumarnakka
Level 1
Level 1

‎05-22-2024 12:32 AM

Hi

I configured my ISE on the network

Now if user enter domain account (active directory), he have **ll access on the network

But some user use their personal computer and their domain account to acces the network

How can I add second requirement befor access the network

The second requirement should be to check that computer have been added in the domain

Please can you help me with step by step configuration ?

Regards

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎05-22-2024 12:39 AM

@rameshkumarnakka you will need to distinguish between a AD joined computer and a personal device.

I assume you are currently using PEAP/MSCHAPV2? You could use EAP-TLS for AD joined devices and apply a different set of policies to those devices and another to the personal devices, which could continue to use PEAP/MSCHAPV2.

If you use posture you can perform a registry check to determine if the computer is joined to the AD domain, therefore use posture on your AD joined computers.

Else you could use the AD Probe to lookup to see if the computer is joined to the AD domain, profile the devices and  then use this profiling information in an authorisation rule.

0 Helpful

rameshkumarnakka
Level 1
Level 1
In response to Rob Ingram

‎05-22-2024 01:00 AM

Hey @Rob Ingram 

Thank you for your valuable reply 

Yes. We were using PEAP/MSCHAPV2 ,

but when were using EAP-TLS one error occuring please find below attached SC

Screenshot 2024-05-22 at 1.19.08 PM.png


and we were wondering how to segregate the domain and non domain devices and if it is non-domain we need to assign different VLAN  for that 

0 Helpful

Rob Ingram
VIP
VIP
In response to rameshkumarnakka

‎05-22-2024 01:05 AM

@rameshkumarnakka the client is configured to use certificates, but the ISE policies need reconfiguring to allow EAP-TLS certificate authentication.

EAP chaining for AD joined computers as per @Karsten Iwen comment is another good method.

0 Helpful

rameshkumarnakka
Level 1
Level 1
In response to Rob Ingram

‎05-22-2024 03:03 AM

@Rob Ingram  i want to try the ADprobe for profiling of domain devices in that i was bit struggling to the. condition point can you suggest me based on below Screen schoot

03_32_41.jpg

03_32_52.jpg

  

0 Helpful

Karsten Iwen
VIP
VIP

‎05-22-2024 12:40 AM

The first step is to configure ISE and supplicant for both User and Machine Authentication. When that is working, you can migrate to the EAP method TEAP, where you can do EAP chaining. The ISE checks that user authentication is done from a PC that was previously machine-authenticated.

Customers Also Viewed These Support Documents