Solved: Workgroup PC need to add on Domain in secure port

anilkumar.cisco · ‎04-27-2021

Hello Team,

I have Cisco ISE 2.4.. 802.1x with domain authentication is working perfectly..

when i am adding any new laptop to domain.. I am not able to do that in secure port.. means port where 802.1x is already configured..

in non secure port, I am able to build new laptop and add it into the domain..

Any idea, what should i do here..

Best Regards

Anil Singh

Greg Gibbs · ‎04-27-2021

This is a common issue due to the way Windows builds work. See a similar discussion with some options in this post.

PC Imaging on NAC secured ports

View solution in original post

balaji.bandi · ‎04-27-2021

In most cases that will be in the Build stage and Build area, the ports can be unauthenticated, so you know these are used for building new devices and join them to Domain.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

anilkumar.cisco · ‎04-27-2021

Any alternative to this..

Shall i allow AD IP in pre-auth ACL.. after this things started working.. but seems some security issue..

Also, if i will create an White-list MAC address on the ISE then.. the extra burden will come ISE Admin.

the problem is , The customer is challenging that the same thing was working perfectly on some old site.. which is decommision now..

Is it possible.. i can will add computer Certificate + USer certificate manually to the PC which i am building and then add it domain via dot1x policy...

Best Regards

Anil Singh

Greg Gibbs · ‎04-27-2021

This is a common issue due to the way Windows builds work. See a similar discussion with some options in this post.

PC Imaging on NAC secured ports

anilkumar.cisco · ‎04-28-2021

I am confuse now..

after changing the switch side configuration order from mab dotx to dot1x mab.. the device of work group started authenticated via dot1x..

is it because the workgroup device is already have certificate installed on it that's why....

Sina Dy · ‎07-14-2021

Hi, I have the same case. Any suggestion for that compatible solution?

Note: we're ISE administrator, for our current when have new PC that need to join domain we help whitelist from ISE dashboard or exclude the switch port without apply low impact mode then Desktop Support team can perform join domain and install software from their checklist. and after they completed we remove from whitelist. but this is required alot teams for help and also workload and low productivity. example sometime Desktop Support team need to fix issue or re-join domain immediately but they need to contact ISE administrator or network team to do whitelist or exclusive switch port.

And our environment before apply ISE, Desktop Support team can join or re-join domain at user place.

Thank you so much for advise.

Anil Ku · ‎07-14-2021

Hello Sina,

the solution is already provided by @Greg Gibbs ..

Solved: PC Imaging on NAC secured ports - Cisco Community

we have to choose from the options..

I have chosen option 1

i.e.

Provide a separate build area that does not have NAC enabled but requires physical security to access

Sina Dy · ‎07-14-2021

Hi @Anil Ku ,

Do you have any challenges in case we have many branches. so, you need to separate build area for each branches?

other thing, we need to bring that workstation from user placed to that build area. to do that it required alot of time and will delay for fixing issue. example: sometime not for new workstation need to join domain, it can be exiting that have problem with domain not sycn or need to re-join.

Cisco should have good solution for this.

Any other advise based on above concern. Thank you so much.

anilkumar.cisco · ‎07-21-2021

what i know.. I have already shared with you.. Best check with your Cisco Account Management team.