05-30-2023 01:35 PM
Hello
I am in the beginning stages of implementing Wired ISE / 802.1x using EAP-TLS. We have user and machine certificates and an internal PKI. For the most part everything is working. The very limited amount of users i put on this is working just fine. Printers, cameras all authenticating with MAB are working, etc.
Now i am at a crossroads and trying to figure out the best course of action. Our Help Desk Team needs to be able to log into user machines with the local Windows Admin Account. This can be for a number of different reasons. But the primary focus is new machines straight out of the box. Help Desk receives a new machine and need to install updates, domain join it, etc. Domain Joining is the primary concern. Once its domain joined, then GPO kicks in and certs, etc are pulled. All other functions they need can be performed after joining such as installing updates, etc.
So if there is a brand new machine that has no user certificates...how do we allow this local admin user access to the network?
And just to make it even more complicated. Once that machine is on the domain - that local admin account's password is now controlled by MS LAPS.
I currently have 2 support tickets with TAC - and none of them have been able to assist as of yet. There has to be another company out there that's faced this issue before. I do understand that we can simply designate a few physical ports that do not use Dot1X...but im not sure our security team will be OK with that.
Any help or ideas would be appreciated. Thanks.
05-30-2023 01:36 PM
Sorry. I forgot to mention that we are also using Cisco AnyConnect NAM (Network Access Manager) as our supplicant. ...Although we are not married to that, it is what's currently in use.
05-30-2023 03:48 PM
This would be a similar issue to the discussion here:
https://community.cisco.com/t5/network-access-control/pc-imaging-on-nac-secured-ports/td-p/3486098
There has been no enhancement on the Microsoft side to improve this experience. There have been some enhancements to the ISE APIs and development of modules for IaC tools like Ansible and Terraform since that discussion that could also help develop a process for adding/removing endpoint MAC addresses to a temporary build whitelist.
https://cs.co/ise-api
06-04-2023 01:27 PM
A vey basic solution that works for one of my customers for remote PC imaging, is to give the Desktop Team access to ISE (limited Menu to see Endpoints only) and they add MAC addresses to a PXEBoot Group. Those endpoints get a Permit Any Any dACL on the switch - and the endpoints are automatically purged from ISE after 24 hours.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide