Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1642
Views
1
Helpful
8
Replies

MAC computer as a AD domain machine

Go to solution
yongwli
Cisco Employee
Cisco Employee

‎07-05-2017 07:42 AM

Hi Team,

Customer would like to know a MAC computer is an AD domain machine or not. And define different policy based on it. How can we do it in ISE? We found MAC did not send host authentication in ISE live log. And no register table to check it’s domain computer or not.

Your help will be very appreciated!

Thanks

DL

1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎07-05-2017 07:52 AM

You can use AD probe's 'AD-Hosts-Exists' attribute to automatically create an endpoint group. Once created you can use it in your AuthZ policy to provide different AuthZ profile.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
howon
Cisco Employee
Cisco Employee

‎07-05-2017 07:52 AM

You can use AD probe's 'AD-Hosts-Exists' attribute to automatically create an endpoint group. Once created you can use it in your AuthZ policy to provide different AuthZ profile.

0 Helpful

Go to solution
Alex Pfeil
Level 7
Level 7
In response to howon

‎11-28-2017 10:08 AM

I was looking at the live Radius log, and I do not see the AD probe returning AD-Host-Exists.  I see it returning all of the other probes. Does it have to be a functional 2012 domain, or is there something else I could have missed?

Thanks,

Alex

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Alex Pfeil

‎11-28-2017 06:44 PM

Is ISE learning the hostname of the Mac from DHCP or FQDN from DNS profiler (if you have it enabled… you should0?

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
Alex Pfeil
Level 7
Level 7
In response to paul

‎11-28-2017 07:01 PM

It ended up being that the profile I created had less points than another profile. I changed the point assignment in the profile condition that I created. I thought I would see the AD-Host-Exists in the authentication because I was seeing the 5 other AD attributes.

Thanks for your response.

Alex

0 Helpful

Go to solution
paul
Level 10
Level 10

‎07-05-2017 09:19 PM

The AD Host Exists flag in checking to see if the reverse lookup for the IP learned is an object in AD.  That is a decent indicator that the device is probably a domain joined object. 

You can definitely get Macs that are joined to the domain to present domain computer credentials during PEAP authentication.  If they are using JAMF/Casper to manage their Macs this is pretty straight forward and documented here:

https://www.jamf.com/jamf-nation/discussions/8721/802-1x-machine-based-authentication

If they aren't managing the Macs with JAMF they can use that article as a guide to manually configuring the Macs to do this.  It isn't easy but doable without JAMF. 

0 Helpful

Go to solution
yongwli
Cisco Employee
Cisco Employee

‎07-06-2017 08:26 AM

do you have any docs to show how to do it? I mean AD-probe and automatically add endpoint into a group, does it need API to do it? many thanks.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to yongwli

‎07-06-2017 08:58 AM

Use the JAMF link I provided as a guide. There are other links out there if you Google PEAP Computer Auth OSX.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
yongwli
Cisco Employee
Cisco Employee
In response to paul

‎07-07-2017 12:27 AM

thank you, let me try it first.

0 Helpful
Customers Also Viewed These Support Documents