06-01-2015 10:50 AM - edited 03-10-2019 10:46 PM
Hi Experts,
Good Day!
I would like to seek for your your expert assistance about this concern. My concern is that my client wants to have a policy in the ISE that checks if the user is in AD and the computer is joined in their domain. Is that possible?
Thank you for your great help.
Cheers,
Niks
06-01-2015 05:51 PM
Niks,
A similar question was posed just a couple of days ago - please see this thread.
Short answer - yes - this is not only possible, but a common use case for ISE.
06-01-2015 07:38 PM
Hi Marvin,
Good Day!
Thanks for the link. May I ask how does the ISE check if the computer is joined? I only know how to authenticate user which is based of course in the AD.
Also, based on the Cisco documentation I should EAP-FAST as the EAP protocol however, my client is now using EAP-TLS, is that possible for EAP-Chaining? And lastly, my client don't want to use AnyConnect NAM is that possible?
Thanks for the great help.
Cheers,
Niks
06-01-2015 08:34 PM
You're welcome.
EAP Chaining (to check both machine and user authentication) does require EAP-FAST as the outer method and the AnyConnect NAM module. You can't do it with native supplicants. That's one of the value propositions of using the AnyConnect NAM.
When the machine authentication is attempted, ISE will look it up in the configured identity store (e.g., AD) and verify the machine exists as a joined computer.
06-02-2015 08:56 AM
Hi Marvin,
Good day!
I was able to find a solutiom for not using AnyConnect NAM by just checking the AD group domain computers however, I need to logoff and login again in my computer for that policy to hit.
I'm not sure what did I miss, please help.
Thanks
06-05-2015 04:40 AM
You can achieve machine and user authentication using policy like following but has several restrictions..EAP-chaninng is the best way to do it
06-05-2015 08:32 AM
Hi Marvin,
Good Day!
I tried the solution for the machine authentication without using AnyConnect NAM however, I still need to logoff and logon again in my laptop for my policy to be hit.
May I know if I will use AnyConnect NAM with EAP-Chaining for machine + user authentication, do the procedure of logging-off and logging-in again in laptop still needed?
Thanks again for the help Marvin!
Cheers,
Niks,
06-05-2015 09:09 AM
Niks,
Normally "There is usually no need to re-authenticate a previously authenticated endpoint that remains connected to the network. After a successful 802.1X authentication, the port remains open until the session is terminated, most typically by a physical link-down event. Because physical connectivity is continuously maintained, the authenticated endpoint remains connected to the port. Under these circumstances, re-interrogating endpoint credentials serves no purpose."
You can force a reauthentication from ISE or set the switch port to periodically reauthenticate (not recommended per the above design guide but the command to do so is "authentication periodic" which will force reauthentication once an hour and you can tweak the period with "authentication timer reauthenticate"), disconnect and reconnect the port, or - as you noted - logoff and logon to trigger a reauthentication
06-07-2015 10:07 AM
Hi Marvin,
Good Day!
Does this apply also to a WLAN setup? As of now, we tried machine + user authentication using native supplicant of Windows however, we need to logoff and login again from the laptop/computer so that the policy for the machine authentication will get hit.
Now, we will try to use the AnyConnect NAM as you suggested before, will this solution still needs to logoff and login from the computer for the machine authentication to hit in the policy?
Thanks,
niks
07-05-2017 08:54 AM
So, using Anyconnect will we have the same condition of user needing to logoff or rebooting the machine?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide