Solved: ISE best practice for computer authentication question

BrianPersaud · ‎07-29-2019

Hi All

I am in the process of deploying ISE at a company. The question is focused on wired authentication for AD joined computers.

Is there a benefit of doing authorization using certificates vs ISE checking if the computer is in a particular AD group e.g. Domain computers?

I am on ISE 2.4 Patch 9

Thanks

Brian

hslai · ‎07-29-2019

Some benefits of cert-based auth are

AD replications on password changes could be slow
Password authentication might not be allowed; e.g. Microsoft Windows Defender Credential Guard

View solution in original post

hslai · ‎07-29-2019

Some benefits of cert-based auth are

AD replications on password changes could be slow
Password authentication might not be allowed; e.g. Microsoft Windows Defender Credential Guard

Damien Miller · ‎07-29-2019

You can still check group membership or AD attributes of machines when doing certificate authentication. It is common to leverage one or the other to provide differentiated access while doing machine certificate auth.

Taking it a step further you could also leverage AnyConnect NAM with eap-chaining, authenticating both the machine and user at the same time.

It really comes down to the unique requirements of the deployment, no one is the same and there are many valid methods.