Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1770
Views
10
Helpful
3
Replies

Cannot make Authorization on ISE for both conditions

Go to solution
denis@cybecs.com
Level 1
Level 1

‎08-04-2021 05:58 AM

Hello everyone,

I'm facing a strange problem with ISE 2.7 policy, I'm building Wireless Dynamic Vlan based on Active Directory users from specific OU and it works just fine I'm getting the right VLAN and IP, but unfortunately, it's not enough and I want to restrict this connection not only by user and password but also for Domain Computers only when I'm trying to make a condition that looks like:

LDAP:distinguishedName CONTAINS "ou name" AND 

LDAP: ExternalGroups EQUALS "Domain Computers"

it just passes through this condition and ends with the default Reject 

maybe anyone can assist how I can build a condition that will permit access to our wireless environment based on domain computer and user and password from specific Active Directory OU???? 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-04-2021 11:42 AM

denis@cybecs.com 

If you want to combine User and machine authentication you'll have to use EAP Chaining using either EAP-FAST (requires Cisco AnyConnect NAM) or TEAP protocol, which requires Windows 10 version 2004 (released May 2020). There would obviously be a cost involved to purchase AnyConnect NAM, so using TEAP might be your best option (assuming you version of Windows is up to date).

 

https://community.cisco.com/t5/security-documents/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289

https://community.cisco.com/t5/security-documents/how-to-deploy-eap-chaining-with-anyconnect-nam-and-ise/ta-p/3630969

 

 

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to denis@cybecs.com

‎08-05-2021 04:20 AM

denis@cybecs.com 

Those authentications are independent, you could only tie them together using an eap chaining method.

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎08-04-2021 11:42 AM

denis@cybecs.com 

If you want to combine User and machine authentication you'll have to use EAP Chaining using either EAP-FAST (requires Cisco AnyConnect NAM) or TEAP protocol, which requires Windows 10 version 2004 (released May 2020). There would obviously be a cost involved to purchase AnyConnect NAM, so using TEAP might be your best option (assuming you version of Windows is up to date).

 

https://community.cisco.com/t5/security-documents/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289

https://community.cisco.com/t5/security-documents/how-to-deploy-eap-chaining-with-anyconnect-nam-and-ise/ta-p/3630969

 

 

Go to solution
denis@cybecs.com
Level 1
Level 1
In response to Rob Ingram

‎08-04-2021 11:17 PM

Hello Rob,

 

The documents you mentioned in your reply cannot be used in my scenario, I'm using Dynamic VLAN only for wireless and not wired so for the authentication I'm using: Wireless_802.1X AND EAP-MSCHAPv2 the computer pass the connection authentication but when it comes to authorizing a combine authorization policy that built for domain computers and an AD user and password it just jumps to the default authorization policy and rejects the connection

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to denis@cybecs.com

‎08-05-2021 04:20 AM

denis@cybecs.com 

Those authentications are independent, you could only tie them together using an eap chaining method.

Customers Also Viewed These Support Documents