10-16-2017 12:15 PM - edited 02-21-2020 10:36 AM
Hi,
Could you help me with my doubt?
Can I use ISE 2.2 authenticate (Wireless_802.1X) only AD user (without the need for the machine to be in the AD domain)?
Best regards
LOURENÇO, Claudio
Solved! Go to Solution.
10-16-2017 12:23 PM
Hi,
Yes, you will need to configure the AD domain in ISE as an external identity source. Then configure the appropriate authentication and authorization rules in a policy. On the client computer (I assume windows) just configure it to use user authentication, select PEAP/MSCHAPv2 as the authentication protocol.
10-23-2017 02:44 AM - edited 11-29-2017 12:29 AM
If the machine is not a domain member, then the user logon credentials are not suitable to authenticate the user in the domain for 802.1X. That is, Single Sign-on is not an option. Therefore the client must be configured not to use the logon credentials for 802.1X (uncheck Enable single sign on for this network), and a 802.1X password popup window or a bubble will appear after the logon where the user must enter a valid domain username and password.
10-27-2017 10:10 AM
Hi Claudio,
The following videos are still helpful on version 2.x.
https://www.youtube.com/watch?v=bjH99xKepLY
https://www.youtube.com/watch?v=raDFQDTt9uY
https://www.youtube.com/watch?v=Vb9CVn3hoOw
https://www.youtube.com/watch?v=OCqLRzuqCW8
10-16-2017 12:23 PM
Hi,
Yes, you will need to configure the AD domain in ISE as an external identity source. Then configure the appropriate authentication and authorization rules in a policy. On the client computer (I assume windows) just configure it to use user authentication, select PEAP/MSCHAPv2 as the authentication protocol.
10-16-2017 12:29 PM
I'm going to do a lab because I have an implementation Cisco ISE.
Thank you very much for your attention RJI.
10-27-2017 10:10 AM
Hi Claudio,
The following videos are still helpful on version 2.x.
https://www.youtube.com/watch?v=bjH99xKepLY
https://www.youtube.com/watch?v=raDFQDTt9uY
https://www.youtube.com/watch?v=Vb9CVn3hoOw
https://www.youtube.com/watch?v=OCqLRzuqCW8
10-23-2017 02:44 AM - edited 11-29-2017 12:29 AM
If the machine is not a domain member, then the user logon credentials are not suitable to authenticate the user in the domain for 802.1X. That is, Single Sign-on is not an option. Therefore the client must be configured not to use the logon credentials for 802.1X (uncheck Enable single sign on for this network), and a 802.1X password popup window or a bubble will appear after the logon where the user must enter a valid domain username and password.
10-24-2017 05:29 AM
I did the lab and it worked!
Thank RJI and Peter Kolti very much for your attention.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: