Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3541
Views
15
Helpful
5
Replies

ISE 2.2 authenticate only AD user (without the need for the machine to be in the AD domain)

Go to solution
Claudio L. de Matos Jr
Level 1
Level 1

‎10-16-2017 12:15 PM - edited ‎02-21-2020 10:36 AM

Hi,

 

Could you help me with my doubt?

Can I use ISE 2.2 authenticate (Wireless_802.1X) only AD user (without the need for the machine to be in the AD domain)?

 

Best regards

LOURENÇO, Claudio

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-16-2017 12:23 PM

Hi,

Yes, you will need to configure the AD domain in ISE as an external identity source. Then configure the appropriate authentication and authorization rules in a policy. On the client computer (I assume windows) just configure it to use user authentication, select PEAP/MSCHAPv2 as the authentication protocol.

View solution in original post

Go to solution
Peter Koltl
Level 7
Level 7

‎10-23-2017 02:44 AM - edited ‎11-29-2017 12:29 AM

If the machine is not a domain member, then the user logon credentials are not suitable to authenticate the user in the domain for 802.1X. That is, Single Sign-on is not an option. Therefore  the client must be configured not to use the logon credentials for 802.1X (uncheck Enable single sign on for this network), and a 802.1X password popup window or a bubble will appear after the logon where the user must enter a valid domain username and password.

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎10-16-2017 12:23 PM

Hi,

Yes, you will need to configure the AD domain in ISE as an external identity source. Then configure the appropriate authentication and authorization rules in a policy. On the client computer (I assume windows) just configure it to use user authentication, select PEAP/MSCHAPv2 as the authentication protocol.

Go to solution
Claudio L. de Matos Jr
Level 1
Level 1
In response to Rob Ingram

‎10-16-2017 12:29 PM

I'm going to do a lab because I have an implementation Cisco ISE.

Thank you very much for your attention RJI.

 

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7

‎10-23-2017 02:44 AM - edited ‎11-29-2017 12:29 AM

If the machine is not a domain member, then the user logon credentials are not suitable to authenticate the user in the domain for 802.1X. That is, Single Sign-on is not an option. Therefore  the client must be configured not to use the logon credentials for 802.1X (uncheck Enable single sign on for this network), and a 802.1X password popup window or a bubble will appear after the logon where the user must enter a valid domain username and password.

Go to solution
Claudio L. de Matos Jr
Level 1
Level 1
In response to Peter Koltl

‎10-24-2017 05:29 AM

I did the lab and it worked!

Thank RJI and Peter Kolti very much for your attention.

0 Helpful
Customers Also Viewed These Support Documents