ISE check if wireless device is part of domain?

Dustin Anderson · ‎04-22-2016

Greetings,

I have not found an answer searching, so thought I would ask.

They are looking at using ISE to on-board wireless devices. The issue I am running into is checking domain status to redirect to internal network.

Per other documents, we do not use EAP-Fast, and they do not want to use AnyConnect due to licensing.

My issue is I can Posture for the registry key, but already posture for AV definition date and a fail on the domain key would also cause a general fail.

I'm at a loss for a condition to check for domain status that can be used with the Authorization Rules.

Basically, if it's a mobile device, I check MDM for compliance. This works fine

For a workstation, I want to check domain status and AV status to decide on quarantine, internal, or external network.

jan.nielsen · ‎04-22-2016

Maybe i am missing something from your description, but i'm not sure why you would need to check for domain member status at all with posture, if those machines are members of your AD, you can just use a GPO to roll out the wireless settings/certificates, then only those machines would be allowed onto your network. Use EAP-TLS for them, and anyone that tries PEAP would then be a non-ad member.