Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1879
Views
25
Helpful
5
Replies

ISE 802.1X Double Auth (PC+USER) - Question about Local PC built-in Accounts

Rigels_Sino
Level 1
Level 1

‎12-24-2020 05:22 AM

Hello all, hope you are all doing well.

I have been implementing Cisco ISE for a client of our company and I have configured double authentication to first authenticate the PC based on Active Directory Domain Computers groups and then authenticate the user basedon Active Directory User Groups.

 

Regarding the first authentication of course I have configured just a DACL to permit traffic towards the AD,DNS and DHCP Servers.

 

Now the question comes, how do I allow a Local Administrator account of the PC  (Local Users and Groups) to get full access upon authentication?

When i try to login with the local administration that user gets logged in but is given the DACL of the Machine Authentication form ISE (just permitting AD,DNS and DHCP), and on the ISE Radius Logs the authentication is shown as supected --> failed.

The only form so far to allow full access is that upon an IT Helpdesk member goes to an End-User I manually disable the pae authenticator form the access switch port, which is extra administrational work.

 

Anyone came across this?

 

Thank You,

Rigels Sino

0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎12-24-2020 06:09 AM

Hi @Rigels_Sino 

That is to be expected. Why are the helpdesk users logging into the domain computer using the local administrator accounts? Why not make a AD domain group a member of the Built-in Local Administrators group, therefore they have local admin rights and can still authenticate to the network successfully.

 

HTH

Rigels_Sino
Level 1
Level 1
In response to Rob Ingram

‎12-24-2020 06:33 AM

Yup exactly Rob, same thing as I wondered, it is just a requirement of the client

Was wondering if there would be a workaround to use local administrator account, although this is the solution for sure and will definitely suggest it to be implemented asap.

 

Thnx,

Rigels 

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to Rob Ingram

‎12-26-2020 11:34 PM - edited ‎12-27-2020 12:03 AM

@Rigels_Sino,

Rob Ingram's suggestion is sound.

On the other hand, if the local admin accounts are only a handful and not overlapping with those in AD, then, we may create the credentials and the group memberships as ISE internal users or in another ID store and use an identity source sequence in ISE as the auth source so that ISE may try AD first and then another ID store.

 

Screen Shot 2020-12-27 at 12.02.08 AM.png

Rob Ingram
VIP
VIP

‎12-24-2020 06:42 AM

Well the local administrator account will be sent to ISE for authenticating, which will fail as ISE cannot authenticate the local user. Is your client set on this idea, I'd suggest you present this alternative solution and see what they say, they may not have considered it.

 

HTH

0 Helpful

ilay
VIP
VIP

‎12-24-2020 07:07 AM

Your authentication and authorization policy rely on AD username & Group,  It is only credential to pass the Dot1x authentication。

Under this condition, you can manually set the 802.1x configuration of the PC, or try to use Anyconnect NAM(Anyconnect Network Access Manager), it can prompt you type username and password to help complete the 802.1x authentication

 

You can get NAM in the anyconnect predeploy or webdeploy pkg file

https://software.cisco.com/download/home/286281283/type/282364313/release/4.9.04053

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents