Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1671
Views
11
Helpful
5
Replies

Cisco ISE Dynamic VLAN with Microsoft AD

Go to solution
Kevin Raditheo
Level 1
Level 1

‎01-25-2017 07:13 AM

Hi all,

I want to ask some questions.

Currently I'm using Cisco ISE for dynamic vlan assignment based on group on AD.

The problem I'm facing is, the user will only get IP address after they put username and password in dot1x supplicant. But sometimes, some user need to contact their domain controller for their windows login and this happens before the endpoint get an IP address. So the endpoint can't contact their DC.

Any suggestions for this case?

Thank you very much for your advice.

1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎01-25-2017 08:01 AM

When user is not logged in, typically the Windows Supplicant is configured to do machine authentication. You will need to create a policy that allows AD 'Domain Computers' Group to have access to the Domain controllers to let the endpoints contact domain controllers.

View solution in original post

5 Replies 5

Go to solution
howon
Cisco Employee
Cisco Employee

‎01-25-2017 08:01 AM

When user is not logged in, typically the Windows Supplicant is configured to do machine authentication. You will need to create a policy that allows AD 'Domain Computers' Group to have access to the Domain controllers to let the endpoints contact domain controllers.

Go to solution
Kevin Raditheo
Level 1
Level 1
In response to howon

‎01-25-2017 08:54 AM

Hi howon,

Thanks for your advice.

If the endpoint do machine authentication to domain controller, how it can be done without an IP address?

Have you try this before?

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Kevin Raditheo

‎01-25-2017 09:07 AM

Just like you authenticate AD user via 802.1x, you can authenticate AD joined machine (computer) to authenticate via 802.1x. It is configurable in the supplicant. Make sure it is set to 'User or Computer authentication' which is the default. Since this is 802.1x authentication it happens at OSI layer 2 without IP. See supplicant setting below on Windows:

Screen Shot 2017-01-25 at 11.05.01 AM.png

Go to solution
Kevin Raditheo
Level 1
Level 1
In response to howon

‎01-25-2017 09:24 AM

Thank howon,

I think I get it. So the endpoint will authenticate with its machine name through ISE and ISE will query the AD just like user authentication, right?

So I will need a policy with a condition like, if the user is domain computer or something like that.

How about the policy result? Must I put default permit access or can I restrict the traffic with an ACL so it can only contact the DC but not anything else?

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Kevin Raditheo

‎01-25-2017 09:27 AM

Yes, typically you would allow access to AD related IP only + DHCP & DNS.

Customers Also Viewed These Support Documents