Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2214
Views
5
Helpful
3
Replies

Cisco ISE- Setup new PC need to join domain

Sina Dy
Level 1
Level 1

‎07-13-2021 08:33 PM

Dear Team,

After implement Cisco ISE, we have one challenging that facing with Desktop Support team as them need to setup windows or new PC need to join domain but after we applied NAC on switch port they can't join domain due to PC not compliance and can't access to any resource. 

Note: we're ISE administrator, for  our current when have new PC that need to join domain we help whitelist from ISE dashboard or exclude the switch port without apply low impact mode then Desktop Support team can perform join domain and install software from their checklist. and after they completed we remove from whitelist. but this is required alot teams for help and also workload and low productivity. example sometime Desktop Support team need to fix issue or re-join domain immediately but they need to contact ISE administrator or network team to do whitelist or exclusive switch port.

And our environment before apply ISE, Desktop Support team can join or re-join domain at user place.

 

I would seeking your advise or based practice and process step should be resolve this challenging and reduce workload to Desktop Support team.

 

Really appreciate for your help. 

0 Helpful
3 Replies 3

Greg Gibbs
Cisco Employee
Cisco Employee

‎07-13-2021 10:51 PM

This is a common scenario with PC imaging on NAC-enabled networks due to the way Windows works. See the following Community post.

PC Imaging on NAC secured ports 

 

Sina Dy
Level 1
Level 1
In response to Greg Gibbs

‎07-14-2021 02:18 AM

Hi @Greg Gibbs , Thank for your sharing.

0 Helpful

Octavian Szolga
Level 4
Level 4

‎07-15-2021 12:02 AM - edited ‎07-15-2021 12:04 AM

Hi Sina,

 

Besides what Greg mentioned (which are great options, btw), some customers choose to use a database that is managed by the help-desk team where MAB/MAC exceptions are managed.

 

This means that any PC that needs network access and is not (yet) part of AD infrastructure has to be manually added to the database.

 

From your side (ISE admin) you need to carefully plan ISE authC and authZ rules for MAB/MAC exceptions so that specific DB is used (try not to break usual MAB/profiling for printers and so on).

 

From help-desk department perspective, they have to manage MAC exceptions.

 

Because the MAC exists in the DB, a specific authorization profile can be used (like have a dedicated VLAN that is filtered on the SVI/L3 interface, or use a dACL or just return access-accept with no other limiting attributes).

 

BR,

Octavian

0 Helpful
Customers Also Viewed These Support Documents