cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1007
Views
10
Helpful
5
Replies

Cisco ISE 2.4- AD Authentication

mgr
Level 1
Level 1

Hi, 

 

We are planning to deploy ISE for 802.1x authentication for wired LAN. We want to authenticate the AD users who are logging in through domain PCs to gain access to network based on 802.1x. 

Please help me with the following scenario.

 

1. User logs into his/her laptop using domain credentials (from cache without connecting to network)

2. Log in is successful.

3. After logging in, connects the laptop to the network port that is configured for 802.1x authentication. 

 

In this case, if we configure policy to allow users based on AD username & password, will ISE prompt the user to provide username & password once again when he/she connects to the network or will the authentication happen in the background without any user intervention.

2 Accepted Solutions

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee
Depends on how the supplicant is set. There is a setting to use the credentials from the login
https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Wired_Authentication_on_a_Windows_7_Client

View solution in original post

Hi Jason, 

 

Thanks a lot for responding. This answers my query. The link is very useful as well. 

View solution in original post

5 Replies 5

Jason Kunst
Cisco Employee
Cisco Employee
Depends on how the supplicant is set. There is a setting to use the credentials from the login
https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Wired_Authentication_on_a_Windows_7_Client

Hi Jason, 

 

Thanks a lot for responding. This answers my query. The link is very useful as well. 

Another question - I am trying to authenticate a corporate user with a corporate device to gain access to the network.

The corporate device has two certificates – one for the machine, another for the user.

I want to match the hostname of the computer against my AD’s “domain computers” group & domain user name of the user against my AD’s “domain users” group.

I only have base license of ISE and not any other additional licenses. I am using windows native supplicant and not any other additional supplicants.
Is it possible to achieve this? If yes, how to configure my windows machine to send both machine and user credentials to ISE?

What you want to do is possible with a base license, it is a standard authentication flow. If you want to match/authenticate both the machine and user at the same time though then you will not be able to do this with the native supplicant. You would have to leverage Anyconnect's NAM module, you can read about this if you google NAM eap-chaining. I can find you a guide if you have trouble locating it.

With the windows supplicant you can do both machine and user authentication, but it is one at a time. Ex. machine boots up and performs machine auth, user then logs in and performs user auth. The native supplicant wont chain machine+user at the same time.

With NAM it usually looks like this;
machine boots up and nam supplicant sends machine auth. User logs in and then NAM sends both machine+user auth attempt chained in one.

Hi, Thanks for your response. I would like to try the windows native supplicant and i am fine with the authentication in succession - machine authentication during bootup & user authentication later. Could you please let me know if there are any guides to configure my windows machine for this?