cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6285
Views
15
Helpful
7
Replies

ISE Authenticating new users via Active Directory with PEAP

imanv
Level 1
Level 1

Hello.

 

I configured ISE Dot1.x to authenticate the users with AD over PEAP and inner method MSCHAPv.2 .

Every things goes well, until a new user in Active Directory wants to login for the fist time on domain PC.

The new user don't have any previous login to the PC and we know that there isn't any  user profile associated with it.

Then new user won't be able to login to domain PC.

After that, as I configured MAB under interfaces, MAB policy activated. But I don't permit user logins via MABs and then no authentication happened.

ISE logs details are attached :

- Cisco ISE 2.7 Patch 3

 

Would you please help me to solve this issue ?

 

 

Best Regards.

 

 

 

1 Accepted Solution

Accepted Solutions

imanv
Level 1
Level 1

Thanks hslai for your hint.

I solved my problem. Here is my solution. I will be happy to here any other solution.

- Insert an ACL under the interface named "PREAUTH" and permit ISE PSNs & DCs.

- configure a temporary VLAN on switch for supplicants before authorization.

- Create a Policy with following rules:

-- If the machine was authenticated (in this scenario using windows machine account against DC by using Authentication Source Sequence ), then the temp VLAN and corresponding dACL will be applied.

 


For better security, I add posture to this configuration.


Best Regards.

View solution in original post

7 Replies 7

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/201044-802-1x-authentication-with-PEAP-ISE-2-1.html

 

since you use PEAP then you need CA of ISE install in client, please review above link.

Thank you very much for your answer.

ISE certificates installed on all PCs previously. The users are working fine now. But I have problem with new users without any previous login on their computers.

 

The scenario is like this :

1- New user created in AD and a joined PC to DC is delivered to him/her. As new user never login to this PC, there is no profile there.

At the login screen, I saw the attached "Windows Login Error" screenshot.

2- Current AD user want to login to the another PC in network. As this user never login to this PC before, I saw the attached "Windows Login Error" screenshot.

 

I appreciate your time to solve my problem.

hslai
Cisco Employee
Cisco Employee

The new user needs connectivity to AD to authenticate and to get the certificates, etc. For Windows, we may allow such connectivity for the computer auth.

Than you very much for your advice.

Is there any solution when we are in Closed Mode ?

Would you please share your experience for this kind of situations ?

You mean I should open this access by changing the interface configuration and setting a Temp VLAN ? Am I right ?

 

imanv
Level 1
Level 1

Thanks hslai for your hint.

I solved my problem. Here is my solution. I will be happy to here any other solution.

- Insert an ACL under the interface named "PREAUTH" and permit ISE PSNs & DCs.

- configure a temporary VLAN on switch for supplicants before authorization.

- Create a Policy with following rules:

-- If the machine was authenticated (in this scenario using windows machine account against DC by using Authentication Source Sequence ), then the temp VLAN and corresponding dACL will be applied.

 


For better security, I add posture to this configuration.


Best Regards.

Hi imanv

 

 What you saw is exactly a "chicken&egg" issue because in order to talk to DC you need to be authenticated & authorized but for authentication & authorization to succeed you need connectivity to domain controllers.

 

 Glad that the problem was solved, If I were you I would not configure pre-auth ACL, just configure the supplicant with User or Machine Authentication so when no user logs in to PC, supplication would send the PC hostname to NAD for authentication at ISE through AD.

 

 So A single rule in Authorization policy having the condition if PC is member of AD domain computers group (which covers any PC joined to the domain) then apply a DACL to permit some sort of access to DNS,DC,DHCP maybe other critical services like SCCM,WSUS,etc.. then below that rule you could have your specific rules to match based on user AD group and restrict access based on that.

 

Regards,

Thank you very much for your reply on my question.

Actually I did it. The PREAUTH access list on switch will be applied to interface when machine authenticated against Active Directory and Posture state is unknown.

 

To complete this solution, I want to say that machine authentication against DC in windows 10 using Anyconnect NAM profile (which I done) may hit this problem which was previously solved on the below link.

https://community.cisco.com/t5/vpn/windows-10-machine-authentication-with-anyconnect-nam/m-p/3462167

 

The best way I found and I implement is authenticating the machines using certificates.