ISE BYOD NSP with AD domain user

wileong · ‎01-05-2018

Hi,

Testing ISE 2.3P1 BYOD flow using NSP. Certificate successfully installed and Windows 7 does not seem to be able to use the certificate for authentication.

With the same endpoint the certificate authentication work before joining domain.

Any specified privilege needed?

Wing Churn

hslai · ‎01-05-2018

Please check whether any GPO from the domain is controlling the configuration for the native supplicant. This process requires local admin privileges and the certificate might be installed under a different user, if one used in the UAC prompt.

wileong · ‎01-07-2018

Hi,

Do you by any chance have a document handy for AD requirement? I am hacing issue on another use case which require NSP to download AnyConnect.

Wing Churn

hslai · ‎01-08-2018

There is no requirement for AD. ISE BYOD would work with endpoints not joined to the AD, but it does need the user in the local admin group of the client device.

An AD administrator may use GPO to enforce the Windows supplicant behavior, however, as shown in [ISE Lab Guide] ISE Active Directory Integration.