cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1457
Views
0
Helpful
3
Replies

Single PC restriction for Windows Login

nikhilcherian
Level 5
Level 5

Hi All, 

 

Generally when a user is added in the domain, the user is added in a way he can login to any of the computers in the domain. I have a specific use case in which the domain admin wants to restrict a user to login specifically to only one PC. The moment this restriction is made in the AD, the ISE authentication fails for this user. I have tried allowing the user to access this particular PC as well as ISE, however that also didn't succeed

 

Any idea, when ISE sends the auth requests to the AD,  how does the AD consider this request. Does the AD consider the user to login to the PC/ISE/switch

 

Regards

 Nikhil

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

Just to add to what Paul mentioned. When ISE is integrated with AD, each ISE node become a computer object in the domain. When user authenticates via 802.1X, user is essentially logging on to the ISE node (Which considers to be logging on locally in terms of Windows user rights). Since PSN persona processes the authentication requests, you should add all of the PSNs to the allowed computer list for a give user along with one's Windows PC.

View solution in original post

3 Replies 3

paul
Level 10
Level 10

If you add the ISE PSN computer accounts in AD to the logon to workstation restrictions that should allow their account to work.  You are saying that doesn't work?  You could also switch ISE to using LDAP to AD which shouldn't trigger a logon to workstation restriction.

howon
Cisco Employee
Cisco Employee

Just to add to what Paul mentioned. When ISE is integrated with AD, each ISE node become a computer object in the domain. When user authenticates via 802.1X, user is essentially logging on to the ISE node (Which considers to be logging on locally in terms of Windows user rights). Since PSN persona processes the authentication requests, you should add all of the PSNs to the allowed computer list for a give user along with one's Windows PC.

I will double check this with the AD team & confirm if they have added all the ISE Nodes to the allowed list

 

Thanks