Solved: Auhenticate non domain PCs

NETAD · ‎06-04-2019

Hello, one of my clients would like to use ISE to control network access at a plant. The machines are not joined to AD and users login via local accounts. How can I create an authc policy to ahthenticate those users? Which identity store should be selected in this case?

kthiruve · ‎06-17-2019

The functionality you are looking for is identity rewrite that strips the machinename or domain before \ and use only username.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01110.html#task_E34DC84405014271B33F6D4E455A441D

You can also use MAC authentication bypass and whitelist the MAC addresses in ISE endpoint db.

Depends on what level of access you need for the machine before 802.1x/MAB. You can redirect the machines to do a web authentication and use users in internal db following MAB. Web auth will give you consistent user experiance.(ignore session:posture attribute value)

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01110.html#ID1316

Thanks

Krishnan

View solution in original post

Arne Bier · ‎06-04-2019

If they are not AD joined then EasyConnect won't work :-( - but if the devices support 802.1X then you can configure the supplicant to perform 802.1X authentication. That is independent of whether the device is AD joined or not.

Windows supplicants support machine and user auth. Other OS's typically only support a user authentication via the supplicant (because these devices are not used my multiple users anyway).

NETAD · ‎06-04-2019

And that would be against ISE internal identity store correct?

Arne Bier · ‎06-05-2019

It doesn't matter. You can have an AD infrastructure containing Users, but at the same time, none of your computers are domain joined (domain joined means that AD knows about the machine because there is a machine account in the AD directory).

I don't know what your scenario is. But AD is just a collection of objects (users, computers, etc.) - ISE can search the AD for an 802.1X authentication. You can also use LDAP or SQL or local ISE accounts.

NETAD · ‎06-07-2019

Hi Arne, I created an internal user, and an identity sequence that check the internal user database only. I created test authentication and authorization policies and configured the windows machine dot1x settings. The problem is that the windows machines don't prompt for a login unless there is a local account on the machine. Any idea how can I configure the windows machine to prompt for credentials that are present on ISE?

Arne Bier · ‎06-09-2019

Hi @NETAD

I don't understand what you mean by "The problem is that the windows machines don't prompt for a login unless there is a local account on the machine" - every Windows machine has a local account - but the "prompting for credentials" you are talking about is controlled by the Windows supplicant configuration (e.g. for Wired 802.1X you need to enable the Windows Service called "Wired Auto Config" - then you can suddenly see a Security tab under the Ethernet adapter. This is widely documented all over the place. Wireless is similar, but the supplicant config is always available for configuration and does not need any special service to run. www.labminutes.com ...

NETAD · ‎06-10-2019

Hi Arne, what I meant was that win10 wasn’t prompting for a login at the lock screen. I got that fixed following this link

https://winaero.com/blog/how-to-make-windows-10-ask-for-user-name-and-password-during-log-on/

My problem is now that when login in on to the laptop ISE is seeing MachineName\username format so it’s not finding a match in the internal user DB. Is there a way to strip the machine name while authenticating so ISE only see the username portion?

ldanny · ‎06-11-2019

Make sure your supplicant is configured to authenticate "User" and not Computer.

kthiruve · ‎06-17-2019