01-16-2013 01:39 AM - edited 03-10-2019 07:58 PM
Hello Security masters,
my goal is to perform a PEAP authentication against Microsoft AD with the machine credentials of the Windows PC.
The question is, how my authorization policy looks like? From my understanding I have different possibilities to solve this:
1.) Directly referencing to the AD group, where the computer objects are stored:
If "Any" and <AD-NAME>:ExternalGroups equals <DOMAIN>/COMPUTERS then PermitAccess
Drawback: If I have multiple subdomains or if the computer accounts are stored in different OUs or groups, I have to check all of them (multiple rules or compound conditions)
2.) Username checking
If "Any" and Network Access:UserName STARTS_WITH host\ then "PermitAccess"
I'm checking if the username starts with "host\", which is normally an indicator for a machine/computer account
3.) Attribute checking
If "Any" and <AD-NAME>:servicePrincipalName STARTS_WITH host\ then "PermitAccess"
I'm checking the value of the "servicePrincipalName" of the AD. Normally only computers have this attribute and the value is "host\<PC-NAME>
Is one of these three approaches the right way to do it, or am I doing it completely wrong.
Is there a best-practice approach to do this? How did you guys solve this?
Best regards and thank you in advance
Johannes
01-29-2013 09:26 PM
Hello Johannes-
I think your option #1 would do just fine as long as you find a common AD group that all machines are part of. A good example would be "Domain Computers." I think if you have sub-domains things should work fine as well as long as you have the proper trust relationship setup.
Hope this helps
Thank you for rating!
02-03-2013 10:18 PM
Hi Neno,
thank you for your answer.
There are multiple domains in the forest and the computer / machine accounts are in multiple groups.
So a trust relationship is not enough to reach the goal. In the ISE you have to add all these groups to the ISE search index in the External Identity Sources - AD settings. Plus you'll have to check for all these groups in the authorization policy (either manually or with a compound condition).
Is that right?
02-10-2013 08:13 PM
Hi Johannes-
Yes, you will need to import all of the groups that you would want ISE to reference. I can see what you mean by having several sub-domains and having to build tons of rules for it. Perhaps you can use less rules but use the "OR" function instead of the "AND."
If that does not work then you will have to use some other common attribute that all workstations share.
07-19-2013 07:06 AM
Kindly review the below link:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide