Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2905
Views
0
Helpful
7
Replies

ISE 2.0 Domain & Non Domain Machine Auth Problem

Go to solution
kamlenegi
Level 1
Level 1

‎04-18-2016 02:17 AM - edited ‎03-10-2019 11:40 PM

Hi,

Can anyone suggest me for ISE 2.0 authorization policy for Domain & Non Domain machine.

Requirement: Domain machine should authenticate from domain user id & password using PEAP. but non domain machine should not authenticate by using domain credential in windows supplicant.

I am trying it using user or computer setting and selecting authorization policy (domain computers & domain users)

Thanks

Kamlesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to kamlenegi

‎04-23-2016 06:14 PM

So you are doing a VLAN override on the guest clients? The reason I ask is because I have never been able to get that feature to work well. Instead, I have always preferred to use DACLs (Switched Guests) and Named-ACLs (WLCs). 

If you must use that feature I would suggest increasing the timers a bit and see if that works. 

For your licensing question:

The Cisco ISE license is counted as follows:

  • A Base or Advanced license is consumed based on the feature that is utilized.
  • An endpoint with multiple network connections can consume more than one license per MAC

address. For example, a laptop connected to wired and also to wireless at the same time. Licenses

for VPN connections are based on the IP address.

  • Licenses are counted against concurrent, active sessions. An active session is one for which a

RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.

Note Sessions without RADIUS activity are automatically purged from Active Session list every

5 days or if the endpoint is deleted from the system.

To avoid service disruption, Cisco ISE continues to provide services to endpoints that exceed license

entitlement. Cisco ISE instead relies on RADIUS accounting functions to track concurrent endpoints on

the network and generate alarms when endpoint counts exceed the licensed amounts:

  • 80% Info
  • 90% Warning
  • 100% Critical

Thank you for rating helpful posts!

View solution in original post

0 Helpful
7 Replies 7

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎04-19-2016 09:32 AM

hi Kamlesh-

You can definitely do that. What you will need to do is:

For Authentication:

- Allow PEAP MSCHAPv2 as the allowed authentication protocol

- Select Active Directory for the Authentication Store

For Authorization:

- Create a rule that checks that the endpoint is part of the desired AD group (for instance, domain computers)

- Deny everything else

The Windows Computers should be configured to:

- Perform PEAP based authentication

- Computer type authentication only

- Set to trust the CA that signed the ISE certificate

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

Go to solution
kamlenegi
Level 1
Level 1
In response to nspasov

‎04-20-2016 12:10 AM

Thanks Neno,

I have done this for domain users but now facing problem some time domain users getting APIPA ip address initially and after release/renew they get actual IP. Same issue is happening with Guest Wireless users. Is there any KB for windows 7, Service Pack 1 , 32 bit OS.

Thanks

Kamlesh

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to kamlenegi

‎04-20-2016 10:27 AM

Sounds like the DHCP requests are timing out and as a result the client is getting the 169.x.x.x address. What values do you have for your timers?

Thank you for rating helpful posts!

0 Helpful

Go to solution
kamlenegi
Level 1
Level 1
In response to nspasov

‎04-21-2016 04:14 AM

Hi Neno,

Attached snapshot for timer. One more question for regarding license, ISE is consuming license for old connection which is not active but showing authenticated & started. Is there any setting do I need in ISE.

Thanks

Kamlesh

Preview file
32 KB
0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to kamlenegi

‎04-23-2016 06:14 PM

So you are doing a VLAN override on the guest clients? The reason I ask is because I have never been able to get that feature to work well. Instead, I have always preferred to use DACLs (Switched Guests) and Named-ACLs (WLCs). 

If you must use that feature I would suggest increasing the timers a bit and see if that works. 

For your licensing question:

The Cisco ISE license is counted as follows:

  • A Base or Advanced license is consumed based on the feature that is utilized.
  • An endpoint with multiple network connections can consume more than one license per MAC

address. For example, a laptop connected to wired and also to wireless at the same time. Licenses

for VPN connections are based on the IP address.

  • Licenses are counted against concurrent, active sessions. An active session is one for which a

RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.

Note Sessions without RADIUS activity are automatically purged from Active Session list every

5 days or if the endpoint is deleted from the system.

To avoid service disruption, Cisco ISE continues to provide services to endpoints that exceed license

entitlement. Cisco ISE instead relies on RADIUS accounting functions to track concurrent endpoints on

the network and generate alarms when endpoint counts exceed the licensed amounts:

  • 80% Info
  • 90% Warning
  • 100% Critical

Thank you for rating helpful posts!

0 Helpful

Go to solution
kamlenegi
Level 1
Level 1
In response to nspasov

‎04-25-2016 02:14 AM

Thanks Neno,

I am changing the solution for guest and assigning IP address which is unauth.

One more question regarding mobile wireless users in flexconnect. It seems that flexconnect environment doesn't support mac filtering. Is there any way ISE support mac authentication for mobile devices. My requirement is three group of mobile users should get different subnet which is possible from WLC making three ssids but should mac authenticate which is not possible in WLC using flexconnect. Three different subnet is required for Proxy filtering.

Thanks for your help.

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to kamlenegi

‎04-25-2016 08:39 AM

You are most welcome!

Regards, 

Neno

0 Helpful
Customers Also Viewed These Support Documents