Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Implementing Port Auth with Cisco ISE and Windows 10 for allowing AD joined clients



What I want to implement (which was implemented in the pst using Windows 7 and Microsoft NPS) is this: (at least for the very beginning)


I'd like Dot1x authentication to do a simple task for me: Only allow windows 10 clients to be connected to the switch and get an IP address if their operating system is joined to an Active Directory domain. This was done on Windows 7 clients because of NAP service available there which is vanished in Windows 10. So, it seems that we should use another authentication agent on client's side.


Long story short, I want to make sure that using Cisco ISE, Windows 10, Cisco 2960 and 3750 switches (Access Switches) I can implement the scenario specified above.


I'll appreciate to have the answer and also a few clues to show me how and where to start my journey :)




VIP Advocate

This is possible. but depends how much understanding you have on ISE. if your ISE and AD are working together and if you have a right set of rule configured in ISE and with right set of rule on switches than in this case if you can get more out of it. (simple answer yes you can do the dot1x for AD computers only connected to switches can access your network resources)

please do not forget to rate.

So many thanks for your quick answer. Do I need an advanced ISE license to get there? Do Cisco 2960 and 3750 series support this (IOS 15.x enough is enough?) and what is the agent/service needed on clients side? Any special thing or prerequisites to consider?


I know this is not so easy to be done but I hope with my understanding about Dot1x, Authentication process, NPS experience of mine, etc to be able to implement it. Any configuration guide or startup for this (AD, ISE scenarios would be so kind to be pointed)


Best regards,


yes 2960 and 3750 does support dot1x. here  is all the information you need.

please do not forget to rate.
Cisco Employee

ISE Secure Wired Access Prescriptive Deployment Guide will help you with this.

See the ISE Compatibility Guides and if that doesn't answer your questions, see Does ISE Support My Network Access Device?

Thanks so much.

and another feature I'm looking for is giving access to users. Let me copy my post from Vmware communities:


Since our remote users log into shared desktops (Citrix desktops), there maybe tens of users on the same VM. What we need to do is to restrict their access to other parts of the network, say simply RDP to a special server. If it was a physical machine or VM with a single user, I guess IDFW could do the work using the User-IP match. But as mentioned, many users are logged on the same VM so a single host IP is assigned to them.


Is there anyway (is ISE capable of) to restrict access for RDP or any access rule based on network protocols to a server just to some users on the same desktop (and naturally one IP)?


Best regards



     Are those users concurrently logged in the shared desktop? I mean do you have like 2 or more users concurrently logged in and you would need different authorisations for each individual user, though all are traffic is being sourced from the same IP address? Or even though many users can connect, only one user session is active at any given point in time.



Cristian Matei.


Concurrently ..


This is a terminal service provided by Citrix XenApp. About 20-50 users simultaneously on the same VM (a 2016 VM typically)




   As far as I'm aware, Citrix XenApp supports VIP and VMAC, so each individual user terminal session should have its own "IP" and "MAC". In this case, configure the NIC for 802.1x with user authentication and computer authentication  (user authentication so that each user gets a different authorization from ISE in the format of a dACL as this is what you want to achieve, and computer authentication because if the computer is not authorised by switch/ISE, than as all traffic in/out on the port except EAPOL is dropped, your users will not be able to access the terminal server to begin with). Configure your switches for 802.1x without MAB and use host-mode of "multi-auth" so that each new VMAC needs to be authenticated, and integrate your switch with ISE.

  Also, all users will be in the same VLAN and IP subnet, the access VLAN configured on the switch port, but that's not a problem since you restrict access by ACL anyways.



Cristian Matei.

Great ! I didn't know that Citrix (and windows together) do have a capability of assigning Per-user IP to the sessions. This will helps us a lot. Let me study this feature, its capabilities and limitations and then get back to this thread.

Now, All users login to some VDA servers and share the same IP so many restrictions and access controls are not possible.


Thanks again


Content for Community-Ad