cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
569
Views
0
Helpful
1
Replies

ISE 2.3 || ISE-PIC with Domain Computers

musultan
Cisco Employee
Cisco Employee

Hi Team,

My Customer is asking the following use-case based on AD group and passive ID:


Deny policy for the PC without Domain.

Permit policy for Domain User and Computer.


My understanding is that we don't support the Domain Computers in PassiveID... is that correct?


Please advise.

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

Passive ID validates user login events.  If customer wishes to validate PC is member of domain, then recommend machine auth via 802.1X PEAP or EAP-TLS with machine cert.  Another method to validate AD membership (albeit not as secure as 802.1X) is to use AD Probe from Profiler which can efficiently determine AD membership based on hostname (learned from DNS, DHCP, or prior machine auth), or NMAP probe with SMB discovery option enabled.

Craig

View solution in original post

1 Reply 1

Craig Hyps
Level 10
Level 10

Passive ID validates user login events.  If customer wishes to validate PC is member of domain, then recommend machine auth via 802.1X PEAP or EAP-TLS with machine cert.  Another method to validate AD membership (albeit not as secure as 802.1X) is to use AD Probe from Profiler which can efficiently determine AD membership based on hostname (learned from DNS, DHCP, or prior machine auth), or NMAP probe with SMB discovery option enabled.

Craig