Solved: Re: ISE and AD question when the host machine is in a certain OU. Authorization is changing when use...

ntwkdsnr123 · ‎05-23-2017

Hi There,

I'm trying to set up a public type kiosk that will have restricted access to certain network resources. I have ISE 2.1 running and is currently integrated with Active Directory. The access is going to be determined via a DACL that will get downloaded to the Cisco switch interface that the kiosk is connected to. I am looking for a certain Organizational Unit in AD that the kiosk machine is a member of.

When the kiosk PC is booted up and authenticates via dot1x, the OU is matched and the DACL is applied to the interface.

At that point the installer or tech logs into AD with a generic login on the kiosk, ISE goes down through again in our authorization policies and matches the AD user for our domain and then applies another policy, and downloads one of our standard DACLs.

Is there a way to only use the defined machine that is in AD instead of the Machine then Domain User? Or a way to stop the process after the interface receives the correct DACL?

Thanks,

Ed

Jason Kunst · ‎05-23-2017

What about machine auth only and then do cwa portal

CWA chaining

View solution in original post

Jason Kunst · ‎05-23-2017

What about machine auth only and then do cwa portal

CWA chaining

paul · ‎05-23-2017

As Jason said it sounds like you just want Computer Auth only and don't ever want the supplicant to transition to user auth. The default settings for Windows supplicant when enabled is Computer or User. Just go in a change the supplicant to Computer Only and you should be set.

Ping Zhou · ‎05-23-2017

if it possible for him to do the following:

On ISE:

AuthC: if domain pc, then use AD1

AuthZ: if domain pc, then permit-access with dACL

on PC: PEAP, Computer authentication

paul · ‎05-23-2017

Yes but to be clear, because this is often a point of confusion with customers, you have the AuthC part wrong:

AuthC: Valid AD credentials (computer or user)

AuthZ: If member of Domain Computers and PEAP then permit access with dACL.

There is nothing other than valid AD credential checking happening in the AuthC phase. All the magic in ISE happens in Authz.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

ntwkdsnr123 · ‎05-23-2017

Thanks Everyone,

I forgot that in the DOT1X config I could specify Computer and User, or just Computer.

I am going to try this first.

Thanks Jason & Paul

-Ed

Jason Kunst · ‎05-23-2017

If you do computer only then you Will loose the ability to track user logins and audit trail

so you could chain with CWA

ntwkdsnr123 · ‎05-24-2017

Hi Folks,

I set just computer authentication under the 802.1x setting on the Windows machine. Authentication is failing now. In ISE details I see a 5400 Authentication failed event and a 12511 Unexpectedly received TLS alert message from the client.

The resolution suggested has to do with trusting the ISE server certificate.

Am I on the right path here? Or can it be something else?

Thanks,

Ed

paul · ‎05-24-2017

Ed,

Didn’t you say that computer authentication was working before?

Is this computer joined to the domain? Did you keep the setting at PEAP? What happens when you reboot and don’t login?

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Ping Zhou · ‎05-24-2017

When testing, can you try unchecking "validate server certificate " on your PEAP setting on the windows PC? So you can tell if it's Radius server cert issue?

ISE and AD question when the host machine is in a certain OU. Authorization is changing when user logs in.