cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
373
Views
0
Helpful
1
Replies

ISE 2.3 || ISE-PIC with Domain Computers

musultan
Cisco Employee
Cisco Employee

Hi Team,

My Customer is asking the following use-case based on AD group and passive ID:


Deny policy for the PC without Domain.

Permit policy for Domain User and Computer.


My understanding is that we don't support the Domain Computers in PassiveID... is that correct?


Please advise.

1 ACCEPTED SOLUTION

Accepted Solutions

Craig Hyps
Advocate
Advocate

Passive ID validates user login events.  If customer wishes to validate PC is member of domain, then recommend machine auth via 802.1X PEAP or EAP-TLS with machine cert.  Another method to validate AD membership (albeit not as secure as 802.1X) is to use AD Probe from Profiler which can efficiently determine AD membership based on hostname (learned from DNS, DHCP, or prior machine auth), or NMAP probe with SMB discovery option enabled.

Craig

View solution in original post

1 REPLY 1

Craig Hyps
Advocate
Advocate

Passive ID validates user login events.  If customer wishes to validate PC is member of domain, then recommend machine auth via 802.1X PEAP or EAP-TLS with machine cert.  Another method to validate AD membership (albeit not as secure as 802.1X) is to use AD Probe from Profiler which can efficiently determine AD membership based on hostname (learned from DNS, DHCP, or prior machine auth), or NMAP probe with SMB discovery option enabled.

Craig

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: