Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3161
Views
5
Helpful
2
Replies

Machine/computer Authentication in ISE

Go to solution
Srinivasan Nagarajan
Level 1
Level 1

‎05-27-2019 06:31 AM

Hi Experts,

 

I'm new to ISE and we've setup machine+user authentication. While going through the machine authentication, in one of the blogs, described as : When a Windows desktop machine joins Active Directory, there is a computer account that gets created and a unique password is negotiated between the machine and AD.

So,this computer account can now be used to identify the machine, even when no user is logged in, which can be used to provide the machine access to the network and machine authorization policies are enforced. So, we've setup the policies as below:

Rule no 1:

 

Ise.local:ExternalGroups==Domain  Computers

 

  With the 1st rule, machine will get authorized access when it boots up (   Before user enters his credentials)

 

  Rule no 2:

 

  Network Access:WasMachineAuthenticated ==True

 

                              AND

 

ise.local:ExternalGroups==Domain Users

 

Now in 2nd rule user will enter credentials and he will get authorized   access.

 

Since we've MAR (Network Access:WasMachineAuthenticated ==True) in place, only machine which was authenticated earlier will be allowed, right...My Query is what if PC (new one) that has never joined before AD will be authenticated and granted access..? Please assist.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
craig.beck
Level 1
Level 1

‎05-28-2019 03:21 AM

If a PC isn't a "Domain Computer" it won't get access, according to your policy.

 

Typically you'll need a rule at the top of your policy to allow PCs to connect based on MAB, or you could use PEAP to allow a "Domain User" to authenticate so you can do the domain join on the PC. Once that bit is done the PC will authenticate.

 

Take care if you use PEAP though as you could be allowing any domain user to connect any device to the network if you use the "Domain Users" AD group. I would create a specific security group in AD for this purpose and use that group in a rule, so only a specific user (or group of users) can perform this task.

View solution in original post

2 Replies 2

Go to solution
aivanin
Level 1
Level 1

‎05-27-2019 11:12 PM

Hello,
why it is authenticated if never joined to AD? It not authenticated because isn't consists on Domain Computers group.
0 Helpful

Go to solution
craig.beck
Level 1
Level 1

‎05-28-2019 03:21 AM

If a PC isn't a "Domain Computer" it won't get access, according to your policy.

 

Typically you'll need a rule at the top of your policy to allow PCs to connect based on MAB, or you could use PEAP to allow a "Domain User" to authenticate so you can do the domain join on the PC. Once that bit is done the PC will authenticate.

 

Take care if you use PEAP though as you could be allowing any domain user to connect any device to the network if you use the "Domain Users" AD group. I would create a specific security group in AD for this purpose and use that group in a rule, so only a specific user (or group of users) can perform this task.

Customers Also Viewed These Support Documents