07-26-2019 07:08 AM
Today, in our network, ISE is joined to CorporateAD and Corporate user and machine is authenticated using CoporateAD as external ID store and then Posture assessment is done to allow network access.
We are implementing NAC for Non-Corporate Users (Wireless, wired and vpn access) and these users are domain joined to other domains.
1. How can we provide secure access to these non-corporate users who are domain joined to other domains? (We can not join these others domains to ISE)
2. We want to make sure only these non-corporate machines (joined to other domains) are allowed network access and not any personal laptops.
3. We want to also check if these non-corporate machines have a valid Anti-virus as a posture assessment condition.
4. These users have domain credentials but we dont want them bringing their personal laptops and using those on the network.
5. Can we use their domain to profile these non corporate users some how? How can we differentiate, Corporate machines with non corporate machines?
Solved! Go to Solution.
07-26-2019 08:29 AM
07-26-2019 08:29 AM
07-26-2019 09:07 AM
Hi Mike,
Solutions you provided to 2 and 5 makes the most sense but I dont know how to do those on ISE. Is there a document or something you can provide that I can use as a reference to go about testing those in the lab?
Really appreciate the help!
Thanks.
07-26-2019 11:36 AM
07-29-2019 09:02 AM
Regarding the following, if we are doing the registry checks, is it not easy for someone to copy/paste this registry to a personal machine to get around it?
2. We want to make sure only these non-corporate machines (joined to other domains) are allowed network access and not any personal laptops.
-You can leverage posture checks to determine this. One example, if you are aware of the other domain names you could do a registry check to determine if a certain string exists and if not deny access to personal laptops that technically would not be a part of a domain.
07-29-2019 10:07 AM
07-29-2019 10:44 AM
Yes, device profiling with registry check is a solution that I am considering as well but when it comes to attributes, don't know which one to use/ or is best here?
07-29-2019 12:29 PM
08-04-2019 11:48 AM
Another method that is much harder to circumvent is to demand a valid client certificate from the other domain. If there are certificates on those clients or if you can convince them to deploy certificates and 802.1X then you can validate the issuer as well as any subject field in ISE.
08-06-2019 07:50 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide