08-04-2021 05:58 AM
Hello everyone,
I'm facing a strange problem with ISE 2.7 policy, I'm building Wireless Dynamic Vlan based on Active Directory users from specific OU and it works just fine I'm getting the right VLAN and IP, but unfortunately, it's not enough and I want to restrict this connection not only by user and password but also for Domain Computers only when I'm trying to make a condition that looks like:
LDAP:distinguishedName CONTAINS "ou name" AND
LDAP: ExternalGroups EQUALS "Domain Computers"
it just passes through this condition and ends with the default Reject
maybe anyone can assist how I can build a condition that will permit access to our wireless environment based on domain computer and user and password from specific Active Directory OU????
Solved! Go to Solution.
08-04-2021 11:42 AM
If you want to combine User and machine authentication you'll have to use EAP Chaining using either EAP-FAST (requires Cisco AnyConnect NAM) or TEAP protocol, which requires Windows 10 version 2004 (released May 2020). There would obviously be a cost involved to purchase AnyConnect NAM, so using TEAP might be your best option (assuming you version of Windows is up to date).
08-05-2021 04:20 AM
Those authentications are independent, you could only tie them together using an eap chaining method.
08-04-2021 11:42 AM
If you want to combine User and machine authentication you'll have to use EAP Chaining using either EAP-FAST (requires Cisco AnyConnect NAM) or TEAP protocol, which requires Windows 10 version 2004 (released May 2020). There would obviously be a cost involved to purchase AnyConnect NAM, so using TEAP might be your best option (assuming you version of Windows is up to date).
08-04-2021 11:17 PM
Hello Rob,
The documents you mentioned in your reply cannot be used in my scenario, I'm using Dynamic VLAN only for wireless and not wired so for the authentication I'm using: Wireless_802.1X AND EAP-MSCHAPv2 the computer pass the connection authentication but when it comes to authorizing a combine authorization policy that built for domain computers and an AD user and password it just jumps to the default authorization policy and rejects the connection
08-05-2021 04:20 AM
Those authentications are independent, you could only tie them together using an eap chaining method.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide