Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2047
Views
10
Helpful
3
Replies

Machine and User Auth on ISE

rajan.pradhan
Level 1
Level 1

‎12-02-2012 09:02 AM - edited ‎03-10-2019 07:51 PM

Hi All

Im using ISE for 802.1x auth of wireless users coming from a cisco WLC, all working perfectly fine, except I want to be able to restrict the authorisation to both active directory domain users AND computers, ie to use wireless you have to have a corporate computer that is on the domain. Having a real struggle with this, cant find a way to profile computers based on domain membership, or any way to authenticate both user and computer concurrently. Any help gratefully appreciated

Thanks

Labels:
0 Helpful
3 Replies 3

edondurguti
Level 4
Level 4

‎12-03-2012 09:37 AM

Rajan,

This might help you.

https://supportforums.cisco.com/docs/DOC-27927

Also if you want to allow only DOMAIN COMPUTERS to be able to join the wireless you can set an Authorization Rule:

for example:

if

AD1:ExternalGroups equals Your.AD.Domain/Domain Computers AND

AD1:ExternalGroups equals Your.AD.Domain/Domain Users                     = ALLOW ACCESS

you will just need to go to Administration and add these groups to the store.

0 Helpful

rajan.pradhan
Level 1
Level 1
In response to edondurguti

‎12-04-2012 12:04 AM

Hi

Thanks for that. Your suggestion is the first thing I tried originally, but it does not work. The problem is that after a user logs on to the PC, windows sends PEAP authentication for USER only, it does not authenticate the machine any more (under WindowsXP). So any Auth policy which tries to match machine AND user attirbutes causes auth to fail.

I need a way to force the client to authenticate by machine, or ISE to profile the endpoint by domain membership...

spellluck
Level 1
Level 1
In response to rajan.pradhan

‎12-05-2012 01:20 PM

Rajan,

Windows does not natively support this.  Machine  Authentication via domain lookup occurs only during user login, and then  you need to set as PEAP after the fact.  In order to achieve the same affect, I deployed Cisco AnyConnect Secure Mobility client.

It  will seem confusing at first, but what you'll want to do is download  the AnyConnect 3.1 Standalone Profile Editor, and take a look at setting  up a profile with it.  Then you'll see what you can do in order to make  the authorization rules in ISE.

I opted to use EAP-FAST and EAP-CHAINING in ISE 1.1.1 to do it.  I then  had my domain machines authenticate via machine certificate pushed out  via GPO and then username/password discovered during login process.  If  it isn't cached from that process, it'll prompt the user again.

Hopefully this helps.

Customers Also Viewed These Support Documents