Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1458
Views
0
Helpful
3
Replies

Single PC restriction for Windows Login

Go to solution
nikhilcherian
Level 5
Level 5

‎09-24-2018 11:56 AM

Hi All, 

 

Generally when a user is added in the domain, the user is added in a way he can login to any of the computers in the domain. I have a specific use case in which the domain admin wants to restrict a user to login specifically to only one PC. The moment this restriction is made in the AD, the ISE authentication fails for this user. I have tried allowing the user to access this particular PC as well as ISE, however that also didn't succeed

 

Any idea, when ISE sends the auth requests to the AD,  how does the AD consider this request. Does the AD consider the user to login to the PC/ISE/switch

 

Regards

 Nikhil

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee
In response to paul

‎09-25-2018 09:30 AM

Just to add to what Paul mentioned. When ISE is integrated with AD, each ISE node become a computer object in the domain. When user authenticates via 802.1X, user is essentially logging on to the ISE node (Which considers to be logging on locally in terms of Windows user rights). Since PSN persona processes the authentication requests, you should add all of the PSNs to the allowed computer list for a give user along with one's Windows PC.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
paul
Level 10
Level 10

‎09-24-2018 12:37 PM

If you add the ISE PSN computer accounts in AD to the logon to workstation restrictions that should allow their account to work.  You are saying that doesn't work?  You could also switch ISE to using LDAP to AD which shouldn't trigger a logon to workstation restriction.

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to paul

‎09-25-2018 09:30 AM

Just to add to what Paul mentioned. When ISE is integrated with AD, each ISE node become a computer object in the domain. When user authenticates via 802.1X, user is essentially logging on to the ISE node (Which considers to be logging on locally in terms of Windows user rights). Since PSN persona processes the authentication requests, you should add all of the PSNs to the allowed computer list for a give user along with one's Windows PC.

0 Helpful

Go to solution
nikhilcherian
Level 5
Level 5
In response to howon

‎09-25-2018 10:58 AM

I will double check this with the AD team & confirm if they have added all the ISE Nodes to the allowed list

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents