Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
3
Helpful
5
Replies

Role based VLAN assignment needs to add a Domain check

CoryMDubya601
Level 1
Level 1

‎11-21-2024 08:52 AM

We have role based VLAN assignment at my company. The issue is that in the current config the users can bring in their own devices, authenticate with their work credentials and then get access to internal resources. My solution is to add a domain check into the authentication policy to verify that the device is joined to the domain. Right now it is just for the Wireless devices. we would like to sent the BOYD non-company owned devices to a specific VLAN. we would like to put the company owned devices on the internal VLAN. I would like help in picking the correct CONDITION to check the domain. The role based policy check works well. I cannot get the domain check to work correctly

Any suggestions?

0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎11-21-2024 09:00 AM

@CoryMDubya601 you can perform a domain check using ISE Posture and can check the registry. Registry: - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain Value=<DOMAIN>

You might be better off using EAP Chaining (TEAP or EAP-FAST) on your domain joined computers, which can combine machine authentication and user authentication. Only your domain joined devices would be able to pass machine authentication, so therefore you can assign the appropriate VLAN. If EAP Chaining is not used, i.e., the BYOD devices you'd have a different authorisation rule and assign a different VLAN.

Else use ISE BYOD certificate for the non-company owned assets, therefore you can distinguish between the different connections and apply different VLANS accordingly.

ahollifield
VIP
VIP

‎11-21-2024 04:49 PM

Use certificates instead.  You should not be allowing unknown/untrusted devices onto the corporate network.

CoryMDubya601
Level 1
Level 1
In response to ahollifield

‎12-02-2024 11:14 AM

Agreed. Imagine the shock I felt when I saw that these unknown/untrusted devices devices were in the "protected" VLAN. I will research on certificate enablement. 

0 Helpful

Dustin Anderson
VIP Alumni
VIP Alumni

‎12-02-2024 12:54 PM

Another option is the MAR database. ISE can remember domain computers logged in before the use comes. EAP Chaining is better if your devices support it, but we use the MAR database to verify domain membership.

0 Helpful

ahollifield
VIP
VIP
In response to Dustin Anderson

‎12-02-2024 01:11 PM

Friends don’t let friends use MAR
0 Helpful
Customers Also Viewed These Support Documents