Can ISE check if the PC is connected to the domain?

Ahmad Murad · ‎01-04-2013

Hello,

Is there any way to let the ISE check if the PC is connected to the domain or not? I have checked all the posibilities, the only workaround that I have found that I can force the dot1x authentication to use the same domain credentials when login to the device, if PC cannot authenticate then this means that this PC is not connected to the domain.

Is there any way to check that before access the wired network and force the PC to join the domain in case it is not joined?

Tarik Admani · ‎01-04-2013

ISE can check if a pc is joined to the domain if you force the client to download the nac agent, from there you can perform a registry check to see if the pc is a member of your domain.

With this approach you run the risk of all clients (guests and internal) to download the nac agent. With enforcing dot1x you can enforce posturing policies for your internal users and allow guests access to only the internet.

In the end this relies on your deployment, if you have a guest policy then you may need to figure out what you want to use, if there is no guest policy you should be covered. You can also explore sccm pr altiris to distribute the nac agent.

However you can not force the clients to join the domain if they fail the policy, you can only prevent or grant guest access if they fail this check. In most cases users will need domain admin privs to leave the ad domain.

Hope this helps

Sent from Cisco Technical Support Android App