Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
0
Helpful
6
Replies

ISE Authorize only Domain Computers

quadrabe
Level 1
Level 1

‎04-11-2025 01:13 AM

Hi

In ISE we'd like to have a Polcy Set that Authorizes only domain computers.
Now we're using ExternalGroups EQUALS domain/Users/Domain Computers but this does not seem to work.
Other ways like PrimaryGroupID EQALS 515 also do not seem to do the trick for us.

0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎04-11-2025 01:19 AM

@quadrabe is the supplicant configured to perform machine/computer authentication?
Are you using PEAP/MSCHAPv2 or EAP-TLS?
If EAP-TLS are you using a Certificate Authentication Profile and performing a lookup into AD? - example

What do the ISE Live logs indicate for the authentication? Please provide screenshots.

0 Helpful

quadrabe
Level 1
Level 1
In response to Rob Ingram

‎04-11-2025 02:03 AM

Hi

Yes the supplicant is configured to use machine authentication, we use PEAP/MSCHAPv2.

0 Helpful

Rob Ingram
VIP
VIP
In response to quadrabe

‎04-11-2025 03:02 AM

@quadrabe as requested, please provide screenshots of your live logs, this would provide information on how we can determine the problem.

Also provide screenshots of your authorisation rules.

0 Helpful

quadrabe
Level 1
Level 1
In response to Rob Ingram

‎04-11-2025 03:57 AM

Hi

Here is a screenshot.

Preview file
136 KB
0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to quadrabe

‎04-13-2025 05:12 PM

A screenshot of the Authorization Policy is not enough information. You would need to share detailed information from the Live Logs as @Rob Ingram has suggested multiple times for us to provide any meaningful assistance.

You could be running into an issue with Authentication due to Credential Guard being enabled by MS.

You could be running into group-matching issues if the ISE computer accounts do not have read permission to the 'tokenGroups' attribute.

You can also try using the Test User tool to do a lookup against AD for the computer account and associated groups by using 'host/<computer name>' as the username.

There could be any number of reasons the session is not hitting your authorization policy.

0 Helpful

JPavonM
VIP
VIP

‎04-11-2025 01:55 AM

As @Rob Ingram  said the supplicant must be configured for Machine auth only, or User or Machine, with the latest one connecting while in the Windows login screen with the machine name, and then with the user credentials after log in.

Additionally, during the authentication phase, you can limit the access to RADIUS Usernames like ".*your.domain.net", but I have seen a problem with few Win11 where they are not sending the full FQDN but only the hostname, so failing to be authenticated unless a backup policy to accept any AD credential would be below.

0 Helpful
Customers Also Viewed These Support Documents