- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2019 06:31 AM
Hi Experts,
I'm new to ISE and we've setup machine+user authentication. While going through the machine authentication, in one of the blogs, described as : When a Windows desktop machine joins Active Directory, there is a computer account that gets created and a unique password is negotiated between the machine and AD.
So,this computer account can now be used to identify the machine, even when no user is logged in, which can be used to provide the machine access to the network and machine authorization policies are enforced. So, we've setup the policies as below:
Rule no 1:
Ise.local:ExternalGroups==Domain Computers
With the 1st rule, machine will get authorized access when it boots up ( Before user enters his credentials)
Rule no 2:
Network Access:WasMachineAuthenticated ==True
AND
ise.local:ExternalGroups==Domain Users
Now in 2nd rule user will enter credentials and he will get authorized access.
Since we've MAR (Network Access:WasMachineAuthenticated ==True) in place, only machine which was authenticated earlier will be allowed, right...My Query is what if PC (new one) that has never joined before AD will be authenticated and granted access..? Please assist.
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2019 03:21 AM
If a PC isn't a "Domain Computer" it won't get access, according to your policy.
Typically you'll need a rule at the top of your policy to allow PCs to connect based on MAB, or you could use PEAP to allow a "Domain User" to authenticate so you can do the domain join on the PC. Once that bit is done the PC will authenticate.
Take care if you use PEAP though as you could be allowing any domain user to connect any device to the network if you use the "Domain Users" AD group. I would create a specific security group in AD for this purpose and use that group in a rule, so only a specific user (or group of users) can perform this task.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2019 11:12 PM
why it is authenticated if never joined to AD? It not authenticated because isn't consists on Domain Computers group.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2019 03:21 AM
If a PC isn't a "Domain Computer" it won't get access, according to your policy.
Typically you'll need a rule at the top of your policy to allow PCs to connect based on MAB, or you could use PEAP to allow a "Domain User" to authenticate so you can do the domain join on the PC. Once that bit is done the PC will authenticate.
Take care if you use PEAP though as you could be allowing any domain user to connect any device to the network if you use the "Domain Users" AD group. I would create a specific security group in AD for this purpose and use that group in a rule, so only a specific user (or group of users) can perform this task.
