cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
767
Views
15
Helpful
9
Replies
Beginner

Corporate vs Non-Corporate Machines Authentication

Today, in our network, ISE is joined to CorporateAD and Corporate user and machine is authenticated using CoporateAD as external ID store and then Posture assessment is done to allow network access. 

We are implementing NAC for Non-Corporate Users (Wireless, wired and vpn access) and these users are domain joined to other domains. 

1. How can we provide secure access to these non-corporate users who are domain joined to other domains? (We can not join these others domains to ISE)

2. We want to make sure only these non-corporate machines (joined to other domains) are allowed network access and not any personal laptops.

3. We want to also check if these non-corporate machines have a valid Anti-virus as a posture assessment condition.

4. These users have domain credentials but we dont want them bringing their personal laptops and using those on the network. 

5. Can we use their domain to profile these non corporate users some how? How can we differentiate, Corporate machines with non corporate machines?

1 ACCEPTED SOLUTION

Accepted Solutions
Rising star

Re: Corporate vs Non-Corporate Machines Authentication

You have a variety of options you can use to accomplish most of your questions:
1. How can we provide secure access to these non-corporate users who are domain joined to other domains? (We can not join these others domains to ISE)
-You could setup client provisioning to force the non-domain joined computers to essentially be forced to download the ISE posture module or a temporary module that you can use to run scans/checks on these hosts. You will have to figure out a way to default these non-domain computers into a network that is restricted and that has a separate AuthZ profile that forces them to client provisioning portal.
2. We want to make sure only these non-corporate machines (joined to other domains) are allowed network access and not any personal laptops.
-You can leverage posture checks to determine this. One example, if you are aware of the other domain names you could do a registry check to determine if a certain string exists and if not deny access to personal laptops that technically would not be a part of a domain.
3. We want to also check if these non-corporate machines have a valid Anti-virus as a posture assessment condition.
-You can leverage posture checks here again to determine if a certain AV service is actively running.
4. These users have domain credentials but we dont want them bringing their personal laptops and using those on the network.
See answer to question 2.
5. Can we use their domain to profile these non corporate users some how? How can we differentiate, Corporate machines with non corporate machines?
-You can utilize the AD probe assuming that you have your NADs configured as device sensors. Using that probe you can utilize the attribute ADHostExists EQUALS True or False. Another example is if you are aware of the other domain naming conventions you could utilize the hostname string attribute.

Good luck & HTH!
9 REPLIES 9
Rising star

Re: Corporate vs Non-Corporate Machines Authentication

You have a variety of options you can use to accomplish most of your questions:
1. How can we provide secure access to these non-corporate users who are domain joined to other domains? (We can not join these others domains to ISE)
-You could setup client provisioning to force the non-domain joined computers to essentially be forced to download the ISE posture module or a temporary module that you can use to run scans/checks on these hosts. You will have to figure out a way to default these non-domain computers into a network that is restricted and that has a separate AuthZ profile that forces them to client provisioning portal.
2. We want to make sure only these non-corporate machines (joined to other domains) are allowed network access and not any personal laptops.
-You can leverage posture checks to determine this. One example, if you are aware of the other domain names you could do a registry check to determine if a certain string exists and if not deny access to personal laptops that technically would not be a part of a domain.
3. We want to also check if these non-corporate machines have a valid Anti-virus as a posture assessment condition.
-You can leverage posture checks here again to determine if a certain AV service is actively running.
4. These users have domain credentials but we dont want them bringing their personal laptops and using those on the network.
See answer to question 2.
5. Can we use their domain to profile these non corporate users some how? How can we differentiate, Corporate machines with non corporate machines?
-You can utilize the AD probe assuming that you have your NADs configured as device sensors. Using that probe you can utilize the attribute ADHostExists EQUALS True or False. Another example is if you are aware of the other domain naming conventions you could utilize the hostname string attribute.

Good luck & HTH!
Beginner

Re: Corporate vs Non-Corporate Machines Authentication

Hi Mike,

 

Solutions you provided to 2 and 5 makes the most sense but I dont know how to do those on ISE. Is there a document or something you can provide that I can use as a reference to go about testing those in the lab?

 

Really appreciate the help!

 

Thanks.

Rising star

Re: Corporate vs Non-Corporate Machines Authentication

Beginner

Re: Corporate vs Non-Corporate Machines Authentication

@Mike.Cifelli 

Regarding the following, if we are doing the registry checks, is it not easy for someone to copy/paste this registry to a personal machine to get around it?

 

2. We want to make sure only these non-corporate machines (joined to other domains) are allowed network access and not any personal laptops.
-You can leverage posture checks to determine this. One example, if you are aware of the other domain names you could do a registry check to determine if a certain string exists and if not deny access to personal laptops that technically would not be a part of a domain.

 

 

Rising star

Re: Corporate vs Non-Corporate Machines Authentication

Your response is a fair statement. However, that would be under the assumption that non-domain users know what you check for and how to implement that info to personal laptops. I was providing one of many examples that could potentially be utilized. I would recommend thinking about other types of posture checks you think you could utilize on top of that one provided. Another idea is to use device profiling based on certain attributes :)
Beginner

Re: Corporate vs Non-Corporate Machines Authentication

@Mike.Cifelli 

 

Yes, device profiling with registry check is a solution that I am considering as well but when it comes to attributes, don't know which one to use/ or is best here?

Rising star

Re: Corporate vs Non-Corporate Machines Authentication

Highlighted
Contributor

Re: Corporate vs Non-Corporate Machines Authentication

Another method that is much harder to circumvent is to demand a valid client certificate from the other domain. If there are certificates on those clients or if you can convince them to deploy certificates and 802.1X then you can validate the issuer as well as any subject field in ISE.

Beginner

Re: Corporate vs Non-Corporate Machines Authentication

Please excuse my lack of knowledge on this but isn't it possible to take those certificates on the client and export/copy/paste to the hacker's machine?