08-23-2017 07:22 AM - edited 02-21-2020 10:32 AM
All,
few questions on topic of ISE today :) and think this one deserves its own thread
Can you lock down users in windows not to type their login details and use single sign on ?
I suppose use by using group policy and on the machine configuring dot1x for the user only and not machine( we are not authenticating the machine)
Thanks
08-23-2017 10:21 AM
Yes, you can configure a group policy to configure 802.1x on a computer to authenticate a user, this can be transparent. Either EAP-TLS (certificate) or PEAP/MSCHAPv2 (username and password) - both methods can be transparent, assuming the computer is trusting the certificates.
Any reason why not doing computer authentication? You can do both, the benefit of authenticating the computer is that computer gpo are processed.
HTH
08-23-2017 11:56 AM
thanks for this
do you have any article to show the process for wlc 8 and ise 2.2?
what do you mean by it applies GPOs?
08-23-2017 12:30 PM
Here is the best place for ISE configuration guides
https://communities.cisco.com/docs/DOC-64012
What I mean by gpo i was referring to the windows group policies. When the computer boots up it updates the computer group policies, when a user logins it processes user group policies. So you may want to authenticate the user and computer to ensure all group policies are updated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide