cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

338
Views
0
Helpful
3
Replies
Highlighted
Contributor

Single PC restriction for Windows Login

Hi All, 

 

Generally when a user is added in the domain, the user is added in a way he can login to any of the computers in the domain. I have a specific use case in which the domain admin wants to restrict a user to login specifically to only one PC. The moment this restriction is made in the AD, the ISE authentication fails for this user. I have tried allowing the user to access this particular PC as well as ISE, however that also didn't succeed

 

Any idea, when ISE sends the auth requests to the AD,  how does the AD consider this request. Does the AD consider the user to login to the PC/ISE/switch

 

Regards

 Nikhil

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Just to add to what Paul mentioned. When ISE is integrated with AD, each ISE node become a computer object in the domain. When user authenticates via 802.1X, user is essentially logging on to the ISE node (Which considers to be logging on locally in terms of Windows user rights). Since PSN persona processes the authentication requests, you should add all of the PSNs to the allowed computer list for a give user along with one's Windows PC.

View solution in original post

3 REPLIES 3
Highlighted
Advocate

If you add the ISE PSN computer accounts in AD to the logon to workstation restrictions that should allow their account to work.  You are saying that doesn't work?  You could also switch ISE to using LDAP to AD which shouldn't trigger a logon to workstation restriction.

Highlighted
Cisco Employee

Just to add to what Paul mentioned. When ISE is integrated with AD, each ISE node become a computer object in the domain. When user authenticates via 802.1X, user is essentially logging on to the ISE node (Which considers to be logging on locally in terms of Windows user rights). Since PSN persona processes the authentication requests, you should add all of the PSNs to the allowed computer list for a give user along with one's Windows PC.

View solution in original post

Highlighted

I will double check this with the AD team & confirm if they have added all the ISE Nodes to the allowed list

 

Thanks

Content for Community-Ad