Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6418
Views
0
Helpful
3
Replies

Cisco ISE Machine Authentication

techguy_cisco
Level 1
Level 1

‎07-15-2020 03:16 AM

Hi,

 

I'm working about windows machine authentication through ISE. I can see when windows supplicant is configured to use "Machine Authentication" it sends as "Radius-Username" its hostname and domain information. I only want to check if machine is inside my domain, It can be made making a rule that check if "Radius-Username" contains "my-domain-name", but I want to check if this computer is declared in Active Directory to avoid that someone could use a personal computer configuring manually the domain in the computer.

 

How can it be made?

 

Thank you very much.

0 Helpful
3 Replies 3

Baconframe
Level 1
Level 1

‎07-15-2020 04:10 AM

A simple way to do this is to import the external group "Domain Computers" from the AD Identity Store.

 

Then you can just make sure that the supplicant is a member of this group:

 

eap_tls.png

0 Helpful

techguy_cisco
Level 1
Level 1
In response to Baconframe

‎07-15-2020 05:37 AM

Thank you Bejkonfrejm,

 

But I'm not sure about it if is wich I need. In the example that you've gave me, the authentication steps, will there be this ones?:

 

- ISE receives "Radius-Username" that ends with ".mydomain.com" (for example)

- Authentication is made through EAP-TLS

- ISE checks if this host "myhost.mydomain.com" belongs to AD group "xxxx/users/domain computers ¿?¿?¿?

 

Thank you very much.

0 Helpful

Colby LeMaire
VIP Alumni
VIP Alumni
In response to techguy_cisco

‎07-15-2020 06:46 AM

Authentication and authorization are separate things.  With authentication, all ISE cares about is whether or not the device/user is truly who they say they are.  This can be accomplished by checking a username/password combination (PEAP) or by checking for a valid certificate (EAP-TLS).  With machine authentication on Windows computers, the machine will have a username and password that it presents to ISE for authentication.  ISE verifies that with AD.  Once authentication is successful, then ISE moves to the authorization policy.

For authorization, you can ensure that it was an actual computer that authenticated and that it wasn't a user account by checking membership in Domain Computers as the previous post recommended.  This assures you that the device authenticating is a computer or at least its object is within the Domain Computer security group in AD.

0 Helpful
Customers Also Viewed These Support Documents