04-27-2021 09:01 AM
Hello Team,
I have Cisco ISE 2.4.. 802.1x with domain authentication is working perfectly..
when i am adding any new laptop to domain.. I am not able to do that in secure port.. means port where 802.1x is already configured..
in non secure port, I am able to build new laptop and add it into the domain..
Any idea, what should i do here..
Best Regards
Anil Singh
Solved! Go to Solution.
04-27-2021 07:30 PM
This is a common issue due to the way Windows builds work. See a similar discussion with some options in this post.
04-27-2021 09:09 AM
In most cases that will be in the Build stage and Build area, the ports can be unauthenticated, so you know these are used for building new devices and join them to Domain.
04-27-2021 04:21 PM
Any alternative to this..
Shall i allow AD IP in pre-auth ACL.. after this things started working.. but seems some security issue..
Also, if i will create an White-list MAC address on the ISE then.. the extra burden will come ISE Admin.
the problem is , The customer is challenging that the same thing was working perfectly on some old site.. which is decommision now..
Is it possible.. i can will add computer Certificate + USer certificate manually to the PC which i am building and then add it domain via dot1x policy...
Best Regards
Anil Singh
04-27-2021 07:30 PM
This is a common issue due to the way Windows builds work. See a similar discussion with some options in this post.
04-28-2021 08:49 AM
I am confuse now..
after changing the switch side configuration order from mab dotx to dot1x mab.. the device of work group started authenticated via dot1x..
is it because the workgroup device is already have certificate installed on it that's why....
07-14-2021 02:46 AM
Hi, I have the same case. Any suggestion for that compatible solution?
Note: we're ISE administrator, for our current when have new PC that need to join domain we help whitelist from ISE dashboard or exclude the switch port without apply low impact mode then Desktop Support team can perform join domain and install software from their checklist. and after they completed we remove from whitelist. but this is required alot teams for help and also workload and low productivity. example sometime Desktop Support team need to fix issue or re-join domain immediately but they need to contact ISE administrator or network team to do whitelist or exclusive switch port.
And our environment before apply ISE, Desktop Support team can join or re-join domain at user place.
Thank you so much for advise.
07-14-2021 05:09 AM
Hello Sina,
the solution is already provided by @Greg Gibbs ..
Solved: PC Imaging on NAC secured ports - Cisco Community
we have to choose from the options..
I have chosen option 1
i.e.
Provide a separate build area that does not have NAC enabled but requires physical security to access
07-14-2021 09:25 PM
Hi @Anil Ku ,
Do you have any challenges in case we have many branches. so, you need to separate build area for each branches?
other thing, we need to bring that workstation from user placed to that build area. to do that it required alot of time and will delay for fixing issue. example: sometime not for new workstation need to join domain, it can be exiting that have problem with domain not sycn or need to re-join.
Cisco should have good solution for this.
Any other advise based on above concern. Thank you so much.
07-21-2021 06:05 AM
what i know.. I have already shared with you.. Best check with your Cisco Account Management team.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide