01-21-2024 02:25 AM
Hello All,
I have implemented 802.1x wired in my network (EAP-PEAP) and the AD is integrated with the ISE server to allow authenticated domain users to access the network. The users are able to authenticate successfully with their domain username and password and I can see the logs in the ISE server which are hitting the policy successfully. When the user logs out and do not shut down the PC, The PC is communicating with the Domain controller for updates etc and I can see the logs on the switch DOT1x auth fail. In ISE logs I can see that the request for authencation is coming from the PC with no username and only PC name xyz.domain. Since, there is no policy for domain computers, the switch keep getting Auth Fail logs. When I add the domain computers in the policy, the PC successfully gets authenticated when no one is logged in.
is this a safe practice for the domain computers to have network access when no one is logged in? If not then what is the solution? because failed authentication generates a lot of logs and the PC will keep trying to authenticate when no one is logged in.
Solved! Go to Solution.
01-21-2024 02:36 AM
@muhammadtalha Yes, I've never had a customer that has not authenticated the domain joined computers. This allows the computer Group Policies to be processed on startup, windows updates to be downloaded and remote management of the devices when no user is logged in.
If you wish to restrict this access, then deploy a DACL to computers once authorised by ISE that restricts access to only the Domain Controllers, DNS, Update servers etc. Amend your ISE authorisation rules accordingly to authenticate the computers and deploy the DACL.
If you do not wish to authenticate the computers you need reconfigure the supplicant on the computers to perform "User authentication" rather than "User or Computer authentication".
01-21-2024 02:36 AM
@muhammadtalha Yes, I've never had a customer that has not authenticated the domain joined computers. This allows the computer Group Policies to be processed on startup, windows updates to be downloaded and remote management of the devices when no user is logged in.
If you wish to restrict this access, then deploy a DACL to computers once authorised by ISE that restricts access to only the Domain Controllers, DNS, Update servers etc. Amend your ISE authorisation rules accordingly to authenticate the computers and deploy the DACL.
If you do not wish to authenticate the computers you need reconfigure the supplicant on the computers to perform "User authentication" rather than "User or Computer authentication".
01-21-2024 02:37 AM
Thanks, I got exactly what I was looking for!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide