Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1441
Views
5
Helpful
4
Replies

ISE and Microsoft AD machine authentication

Johannes Luther
Level 4
Level 4

‎01-16-2013 01:39 AM - edited ‎03-10-2019 07:58 PM

Hello Security masters,

my goal is to perform a PEAP authentication against Microsoft AD with the machine credentials of the Windows PC.

The question is, how my authorization policy looks like? From my understanding I have different possibilities to solve this:

1.) Directly referencing to the AD group, where the computer objects are stored:

If "Any" and <AD-NAME>:ExternalGroups equals <DOMAIN>/COMPUTERS then PermitAccess

Drawback: If I have multiple subdomains or if the computer accounts are stored in different OUs or groups, I have to check all of them (multiple rules or compound conditions)

2.) Username checking

If "Any" and Network Access:UserName STARTS_WITH host\ then "PermitAccess"

I'm checking if the username starts with "host\", which is normally an indicator for a machine/computer account

3.) Attribute checking

If "Any" and <AD-NAME>:servicePrincipalName STARTS_WITH host\ then "PermitAccess"

I'm checking the value of the "servicePrincipalName" of the AD. Normally only computers have this attribute and the value is "host\<PC-NAME>

Is one of these three approaches the right way to do it, or am I doing it completely wrong.

Is there a best-practice approach to do this? How did you guys solve this?

Best regards and thank you in advance

Johannes

Labels:
0 Helpful
4 Replies 4

nspasov
Cisco Employee
Cisco Employee

‎01-29-2013 09:26 PM

Hello Johannes-

I think your option #1 would do just fine as long as you find a common AD group that all machines are part of. A good example would be "Domain Computers." I think if you have sub-domains things should work fine as well as long as you have the proper trust relationship setup.

Hope this helps

Thank you for rating!

Johannes Luther
Level 4
Level 4

‎02-03-2013 10:18 PM

Hi Neno,

thank you for your answer.

There are multiple domains in the forest and the computer / machine accounts are in multiple groups.

So a trust relationship is not enough to reach the goal. In the ISE you have to add all these groups to the ISE search index in the External Identity Sources - AD settings. Plus you'll have to check for all these groups in the authorization policy (either manually or with a compound condition).

Is that right?

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Johannes Luther

‎02-10-2013 08:13 PM

Hi Johannes-

Yes, you will need to import all of the groups that you would want ISE to reference. I can see what you mean by having several sub-domains and having to build tons of rules for it. Perhaps you can use less rules but use the "OR" function instead of the "AND."

If that does not work then you will have to use some other common attribute that all workstations share.

0 Helpful

manjeets
Level 3
Level 3

‎07-19-2013 07:06 AM

Kindly review the below link:

http://www.infraworld.eu/cisco-ise-part-3-active-directory/

0 Helpful
Customers Also Viewed These Support Documents