Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1268
Views
10
Helpful
4
Replies

Cisco ISE 3.1 Non-domain Joined Machines

Go to solution
osman869
Level 1
Level 1

‎08-19-2022 09:19 AM

Hello,

I have created a policy for the wired devices. The devices which are connecting to network should act as a non compliant if Posture fails. (this policy is working fine).

The only issue is I don't know how to segregate the domain-joined PCs and non-domain joined PCs in the policy. However the domain joined machines are using root certificates which are already added to ISE.

I just want that a PC which is not domain joined how to make a policy for all the devices.

Thanks in advance.

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Walker
Level 1
Level 1
In response to osman869

‎08-19-2022 11:14 AM

You can identify your domain computers by using the Certificate authentication conditions, for example "Issuer - Common Name."

If you are looking for computers to gain access without certificates installed, MAB may be your only option. Ensure your profiling policies are in place to properly identify that they are indeed workstations. Within your MAB policy you would then have to set your authorization result to assign the Guest VLAN to anything that falls into that profiling group. I would make sure the Guest VLAN is restricted as much as possible as anyone can now plug in a workstation and be authorized. It should be just enough access for you to access and install certificates.

This is just my way of thinking, I would like to see what other suggestions there are.

View solution in original post

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-20-2022 08:48 AM

How do you identify your non-domain joined assets? I suspect if they are unjoined then they are not managed and so you fall back to using MAC addresses with MAB. Do you have them in a list such as an ISE endpoint group that you put them into? Or do you treat them all as unknown/untrusted Guests?  I suspect you default to Guest. So give them Guest access.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Walker
Level 1
Level 1

‎08-19-2022 10:01 AM

How would you want your non-domain joined PC to authorize? Do you want it to look to a different identity store? MAB? We will need additional information.

Go to solution
osman869
Level 1
Level 1
In response to Walker

‎08-19-2022 10:36 AM

Hi,

Its kind of alien device and we dont have any information about them. On which attributes we can differentiate from domain-joined machines.

So that when an alien devices comes it should go the Guest VLAN without configuring BYOD.

0 Helpful

Go to solution
Walker
Level 1
Level 1
In response to osman869

‎08-19-2022 11:14 AM

You can identify your domain computers by using the Certificate authentication conditions, for example "Issuer - Common Name."

If you are looking for computers to gain access without certificates installed, MAB may be your only option. Ensure your profiling policies are in place to properly identify that they are indeed workstations. Within your MAB policy you would then have to set your authorization result to assign the Guest VLAN to anything that falls into that profiling group. I would make sure the Guest VLAN is restricted as much as possible as anyone can now plug in a workstation and be authorized. It should be just enough access for you to access and install certificates.

This is just my way of thinking, I would like to see what other suggestions there are.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-20-2022 08:48 AM

How do you identify your non-domain joined assets? I suspect if they are unjoined then they are not managed and so you fall back to using MAC addresses with MAB. Do you have them in a list such as an ISE endpoint group that you put them into? Or do you treat them all as unknown/untrusted Guests?  I suspect you default to Guest. So give them Guest access.

0 Helpful
Customers Also Viewed These Support Documents