Solved: ISE 2.3 || ISE-PIC with Domain Computers

musultan · ‎09-26-2017

Hi Team,

My Customer is asking the following use-case based on AD group and passive ID:

Deny policy for the PC without Domain.

Permit policy for Domain User and Computer.

My understanding is that we don't support the Domain Computers in PassiveID... is that correct?

Please advise.

Craig Hyps · ‎09-26-2017

Passive ID validates user login events. If customer wishes to validate PC is member of domain, then recommend machine auth via 802.1X PEAP or EAP-TLS with machine cert. Another method to validate AD membership (albeit not as secure as 802.1X) is to use AD Probe from Profiler which can efficiently determine AD membership based on hostname (learned from DNS, DHCP, or prior machine auth), or NMAP probe with SMB discovery option enabled.

Craig

View solution in original post

Craig Hyps · ‎09-26-2017

Passive ID validates user login events. If customer wishes to validate PC is member of domain, then recommend machine auth via 802.1X PEAP or EAP-TLS with machine cert. Another method to validate AD membership (albeit not as secure as 802.1X) is to use AD Probe from Profiler which can efficiently determine AD membership based on hostname (learned from DNS, DHCP, or prior machine auth), or NMAP probe with SMB discovery option enabled.

Craig