Using Windows GPO with Cisco ISE

dcosta963 · ‎03-23-2016

We are currently using a login script to map drives upon logon for a user. We wanted to test using a GPO instead of a login script. We noticed that the test GPO for the mapped drive wont complete as ISE hasn't authenticated the user yet. Therefore the user doesn't see the mapped drive when thet log in. If we test the GPO without ISE it works fine. Just curious if anyone else has run into this issue and if so what helped fix the issue?

Thank you,

Dcosta

nspasov · ‎03-23-2016

Hi Dcosta-

Yes, that is the expected Windows behavior. User authentication is one of the last things that happen during a boot process and/or after network connectivity is established. If you want things like GPO to work then you will also need to enable Machine authentication. You can create a rule in ISE for machine authentication to only provide the machines with limited access so they can grab the necessary policies and then still use the User based rules to provide wider range of access. Take a look at the attached screenshot for more details.

I hope this helps!

Thank you for rating helpful posts!

jan.nielsen · ‎09-15-2016

Just to add to what Neno said (whick i agree with), you should look into using Cisco AnyConnect NAM and EAP-Chaining.

Joseph Johnson · ‎09-16-2016

What about when it comes to using GPO to map drives and posture assessment? The issue there is the delay in connecting to the drive shares due to the restricted ACL applied during posture assessment.

The restricted posture ACL only allows access to DHCP, DNS, AD, and remediation servers. The user configuration in GP triggers as soon as the user logs on and tries to map the drives. Since the drive shares are not accessible, the drive mapping fails. The only ways I've found around this are:

1. Logon scripts that ping a host, or list of hosts, and triggers the drive mapping once ping is successful (posture passed, less restrictive ACL).

2. Allow drive share access in the restricted posture ACL (reduced security).

3. Using the registry hack I linked to above that is not recommended by Microsoft.

When not using posture assessment, I had no issue with GP mapped drives if setting single sign on to occur after user login (under the 802.1X settings for the network card) is configured. It is hit or miss if it is configured to occur before user login.

Joseph Johnson · ‎09-14-2016

I am curious if anyone ever finds a way to make this work as well with posture assessment and GP mapped drives. I don't want to give users access to drive shares until they pass posture.

The only way I was able to create mapped drives while using posture assessment was by using VBScript login scripts. I had a delay in that would ping a list of addresses that would be unavailable during the posture assessment (limited access ACL). Once they passed posture and the ping was successful, the script would call another script to actually map drives based on user AD groups.

Edit: I did try a script that would just refresh GP after successful posture assessment. By default, refreshing GP doesn't work for mapped drives. There is a registry entry you can change to allow background refreshing of GP drive mappings but had read it is not recommended by Microsoft as it poses a security risk and/or instability in GP processing.

Information about the registry entry can be found here: http://techibee.com/group-policies/all-about-drive-mapping-in-group-policy-preferences/202

Microsoft article about the setting: http://social.technet.microsoft.com/wiki/contents/articles/12221.troubleshooting-the-drive-maps-preference-extension-in-group-policy-replace-mode-only-maps-the-drive-every-other-logon.aspx?wa=wsignin1.0#Set_the_NoBackgroundPolicy