05-23-2017 11:16 AM
Hi There,
I'm trying to set up a public type kiosk that will have restricted access to certain network resources. I have ISE 2.1 running and is currently integrated with Active Directory. The access is going to be determined via a DACL that will get downloaded to the Cisco switch interface that the kiosk is connected to. I am looking for a certain Organizational Unit in AD that the kiosk machine is a member of.
When the kiosk PC is booted up and authenticates via dot1x, the OU is matched and the DACL is applied to the interface.
At that point the installer or tech logs into AD with a generic login on the kiosk, ISE goes down through again in our authorization policies and matches the AD user for our domain and then applies another policy, and downloads one of our standard DACLs.
Is there a way to only use the defined machine that is in AD instead of the Machine then Domain User? Or a way to stop the process after the interface receives the correct DACL?
Thanks,
Ed
Solved! Go to Solution.
05-23-2017 11:25 AM
05-23-2017 11:25 AM
What about machine auth only and then do cwa portal
CWA chaining
05-23-2017 12:16 PM
As Jason said it sounds like you just want Computer Auth only and don't ever want the supplicant to transition to user auth. The default settings for Windows supplicant when enabled is Computer or User. Just go in a change the supplicant to Computer Only and you should be set.
05-23-2017 12:48 PM
if it possible for him to do the following:
On ISE:
AuthC: if domain pc, then use AD1
AuthZ: if domain pc, then permit-access with dACL
on PC: PEAP, Computer authentication
05-23-2017 12:52 PM
Yes but to be clear, because this is often a point of confusion with customers, you have the AuthC part wrong:
AuthC: Valid AD credentials (computer or user)
AuthZ: If member of Domain Computers and PEAP then permit access with dACL.
There is nothing other than valid AD credential checking happening in the AuthC phase. All the magic in ISE happens in Authz.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
05-23-2017 01:24 PM
Thanks Everyone,
I forgot that in the DOT1X config I could specify Computer and User, or just Computer.
I am going to try this first.
Thanks Jason & Paul
-Ed
05-23-2017 01:43 PM
If you do computer only then you Will loose the ability to track user logins and audit trail
so you could chain with CWA
05-24-2017 03:37 PM
Hi Folks,
I set just computer authentication under the 802.1x setting on the Windows machine. Authentication is failing now. In ISE details I see a 5400 Authentication failed event and a 12511 Unexpectedly received TLS alert message from the client.
The resolution suggested has to do with trusting the ISE server certificate.
Am I on the right path here? Or can it be something else?
Thanks,
Ed
05-24-2017 04:17 PM
Ed,
Didn’t you say that computer authentication was working before?
Is this computer joined to the domain? Did you keep the setting at PEAP? What happens when you reboot and don’t login?
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
05-24-2017 05:56 PM
When testing, can you try unchecking "validate server certificate " on your PEAP setting on the windows PC? So you can tell if it's Radius server cert issue?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide