12-21-2021 07:51 PM
I have a request on an ISE 3.0 setup to use AD authentication on wireless 802.1x (5520 WLC) to specicify specific ACLs but also only allow access from corporate machines so a user can't pull up their ipad and enter in their AD credentials.
From my research it seems this is only possible if use the anyconnect NAM which we would prefer not to do.
So are there any options to do Cert machine Auth AND then user AD auth to for ACL application using ISE 3.0?
Solved! Go to Solution.
12-22-2021 02:49 AM
You can do combine machine and user authentication using the relatively new TEAP protocol, assuming your computers are using Window 10 build 2004.
12-22-2021 01:01 PM
Hello @bhartsfield
If EAP-TEAP or NAM is not an option then perhaps there is another way:
1) If the corporate machines are domain joined, then you could use Group Policy to push a machine cert to the AD joined devices, and push a profile that connects to the corp SSID using that cert. On the ISE Wireless 802.1X Policy Set, create a new "Allowed Protocols" where only EAP-TLS is ticked. That will ensure that corp devices MUST use certificates to connect - clients who don't have certs won't have a chance on the corp SSID.
2) Allow EAP-PEAP, but check whether the user is a member of Domain Computers in the Authorization. Only domain joined computers will be members. Regular users will fail that check on the corp SSID.
3) Create a separate SSID for employees to connect to, using their AD creds. Apply the VLAN/ACL as required.
12-22-2021 02:49 AM
You can do combine machine and user authentication using the relatively new TEAP protocol, assuming your computers are using Window 10 build 2004.
12-22-2021 01:01 PM
Hello @bhartsfield
If EAP-TEAP or NAM is not an option then perhaps there is another way:
1) If the corporate machines are domain joined, then you could use Group Policy to push a machine cert to the AD joined devices, and push a profile that connects to the corp SSID using that cert. On the ISE Wireless 802.1X Policy Set, create a new "Allowed Protocols" where only EAP-TLS is ticked. That will ensure that corp devices MUST use certificates to connect - clients who don't have certs won't have a chance on the corp SSID.
2) Allow EAP-PEAP, but check whether the user is a member of Domain Computers in the Authorization. Only domain joined computers will be members. Regular users will fail that check on the corp SSID.
3) Create a separate SSID for employees to connect to, using their AD creds. Apply the VLAN/ACL as required.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide