Re: ISE - Authenticate local windows account

babalao · ‎06-14-2024

Hello,

we are using dot1x close mode authenticating AD machines and users, and we want to be able to authenticte local win account too. (beside user AD domain account).

We think to add the local PC admin user account as ISE local user and use that in the authz policy too.

Would this work? Do you see any problem with that?

Thank you in advance.

Regards.

Arne Bier · ‎06-16-2024

You can't do this because ISE has no access to check the endpoints' local user account passwords.

I am also not sure that the Windows 802.1X supplicant will perform a user network authentication when that PC is not domain joined. I might be wrong - you should test that. But either way, even if it did, then you will have to add all the local user accounts and their passwords into ISE as Network Access accounts. How do get those passwords without asking each user? Maybe you could come up with some Frankenstein solution to integrate this into ISE via a portal or something - but it cannot guarantee that the user account information in ISE will always represent the local accounts on user machines. That's why we have AD

babalao · ‎06-17-2024

Hello,

it would be only for the admin local user,and is the same on all PCs.

Thank you

Arne Bier · ‎06-17-2024

I don't know if Windows perform network authentication on local accounts. Something to test in the lab with a Windows PC - I don't have one available at the moment. The Windows Supplicant must be configured for User and Computer Auth.

As far as the ISE Policy Set is concerned, in the Authentication part, you must have an Identity Source Sequence that includes the AD Join Point, and Internal Users. The order is not important, but you should consider which one should be searched first for performance and security reasons perhaps.