Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2075
Views
10
Helpful
5
Replies

Cisco ISE -Machine Needs an access to the Network After User Logs Out

Go to solution
RohitSingh91693
Level 1
Level 1

‎11-06-2021 01:10 PM - edited ‎11-06-2021 01:15 PM

Is there any way to get access to the Network before user log in, in Windows Machine. We are using ISE 2.6 and currently Outer Methods is Eap-fast and Inner is Eap-Mschap. We are using any connect 4.9.04043 & XML Profile what we have created did not enabled Machine Auth.

Our  Main objective is to get machine access to the network before login & after Logout  so that user will have privilege to Change the Windows Domain Credentials, or when the user forgets the Windows AD credential the AD team can reset the password directly from the AD but to have an effect of that Machine Should be in Network.

 

 Note - After User Logout Any-connect Disable the Network Access also we are not using Posturing in our Environment.

2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎11-06-2021 01:21 PM

@RohitSingh91693 the best thing to do would be to enable Machine Authentication in the AnyConnect NAM XML profile. Alternatively you could use MAB to provide access, you'll have to create a new ISE authorisation rule to permit this and ensure MAB is enable on the switchports. MAB is less secure that 802.1x, which is why I recommend enabling machine authentication.

View solution in original post

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to RohitSingh91693

‎11-08-2021 08:45 PM

> ... How will i make a Condition for Authorization in policy set ...

The condition for authorization may be as simple as to verify the endpoint is in the Domain Computers group. Or, you may use the "Test User" tool in ISE to look up the groups.

Screen Shot 2021-11-08 at 8.43.42 PM.png

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎11-06-2021 01:21 PM

@RohitSingh91693 the best thing to do would be to enable Machine Authentication in the AnyConnect NAM XML profile. Alternatively you could use MAB to provide access, you'll have to create a new ISE authorisation rule to permit this and ensure MAB is enable on the switchports. MAB is less secure that 802.1x, which is why I recommend enabling machine authentication.

0 Helpful

Go to solution
RohitSingh91693
Level 1
Level 1
In response to Rob Ingram

‎11-06-2021 07:52 PM

Rob i can do that, but the problem is how the machine will be authenticate and get access to the network, is it based on hostname or do i have any condition. There are over 6 BU's over here as well and all of them are in different subnets i.e different vlans   ? 

 

Following below points i need to clear first.

 

1. AD team does not have the list of hostnames in their database with them also i do not have option inside  Eap chaining option  as condition  that states .. Machine  & User both failed.

 

2. Earlier during implementation eap-tls would recommended as an inner method & PKI was taken care by the AD team ( which they failed to setup  and could not do it ) afterwards unintentionally i did  hopped over to MS-chap to be the inner method.

 

Here what i want to ask how do i make a  Condition in Authorization policy set as because I do not  want to have any dependency on the AD team, as because i do not get any proper response from them  that's the reason why i am asking.

 

How will i make a Condition for Authorization in policy set after enabling Machine Auth. Using Xml profile editor.

 

 

 

 

 

 

 

 

 

 

 

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to RohitSingh91693

‎11-08-2021 08:45 PM

> ... How will i make a Condition for Authorization in policy set ...

The condition for authorization may be as simple as to verify the endpoint is in the Domain Computers group. Or, you may use the "Test User" tool in ISE to look up the groups.

Screen Shot 2021-11-08 at 8.43.42 PM.png

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-06-2021 11:42 PM

adding to other note - You can have Cert based authentication (if the environment support) and ISE put in different VLAN for this activity, if your environment have PKI)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎11-07-2021 04:41 AM

Hi,

You need to enable machine authentication in order to get access to the
network during logout. For security reasons, you can have a different DACL
for machine authentication which is restricted to specific tasks (such as
password update) compared to user authentication DACL.

You can have following policy sets (MAP means Machine Authentication Pass
and UAP means User Authentication Pass):

MAP_UAF (limited access)
MAP_UAP (full access)
MAF_UAP (denied access)
MAF_UAF (denied access)

**** please remember to rate useful
0 Helpful
Customers Also Viewed These Support Documents