Solved: Re: ISE dot1x eap-tls with logon script

yhan2 · ‎06-29-2016

Dear Experts,

Our customer has a question on ISE dot1x eat-tls with logon script as below:

There are two GPO : First Computer GPO and second GPO based logon script

execution (SMB)

I'm asking about the second when the user enters his active directory

credentials. So here the user had a DACL applied on the switch port then had

access to AD , DNS , DHCP and had an IP address due to SUCCESFULL MACHINE

Authentication, so should we give him access to SMB ( providing shared

access to file server) in the DACL ?

We know that the GPO depends on the network connectivity .

When we apply the GPO (logon script ) after SUCCESFULL USER Authentication

on the client provisioning stage ( CPP ) . This GPO fails to be executed

and give us access to the file server ?

if this GPO failed due to network connectivity , what should we do to

prevent this failure ?

Should we give him access to the file server in the DACL after machine

authentication and in the POSTURE STATUS UNKNOW ?

Or we configure a delay for the GPO to be applied when the computer is

COMPLIANT ?

Please help to answer. Thanks

Yu Han

thomas · ‎06-29-2016

If any of your ACLs prevent access to any resources needed by GPOs or logon scripts then you will have a problem.

Both of your options should work:

1) Ensure all ACLs (machine auth, compliant, non-compliant, etc.) will allow access to GPO resources

2) Delay your GPO until after the user has been authenticated and determined as compliant and any new ACLs applied

View solution in original post

thomas · ‎06-29-2016

If any of your ACLs prevent access to any resources needed by GPOs or logon scripts then you will have a problem.

Both of your options should work:

1) Ensure all ACLs (machine auth, compliant, non-compliant, etc.) will allow access to GPO resources

2) Delay your GPO until after the user has been authenticated and determined as compliant and any new ACLs applied

yhan2 · ‎07-03-2016

About roaming profile what we should do ? is there any specific configuration on ISE or we will do the same as the below ?

thomas · ‎07-05-2016

Are you talking about computer roaming or user roaming?

ISE doesn't care about wireless roaming. If the WLC treats it as a new session, then ISE gets a RADIUS request.

For user roaming, if the computers are configured for user authentication, ISE will get authenticate and authorize each user login.

However if you are using Fast User Switching, ISE will not get an authentication request because Windows does not consider this a new authentication and does not trigger an 802.1X event.

yhan2 · ‎07-07-2016

Thanks for your reply. I'm talking about user roaming in Windows for example when they applied 10 GPO on each user and

the purpose of those GPO's to access the fileserver. So when the user puts his windows credentials after that the GPO will

apply at this stage should they access to file server or should they wait to the PC to be compliant to access them ? Should

they see "folder is empty " if they access them before compliant ? should we deny those ip addresses (file servers) in the

redirect ACL ???

thomas · ‎07-08-2016

We covered this in the original answer.

They need to do whatever they need to do with GPO delays or Quarantine ACLs to ensure GPOs will work whenever they are invoked with whatever resources they are trying to access. Rather than deal with GPO timing delays it is probably easier to include any and all necessary file servers in their Non-Compliant/Quarantine ACL.