Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1881
Views
15
Helpful
9
Replies

Corporate vs Non-Corporate Machines Authentication

Go to solution
TH09
Level 1
Level 1

‎07-26-2019 07:08 AM

Today, in our network, ISE is joined to CorporateAD and Corporate user and machine is authenticated using CoporateAD as external ID store and then Posture assessment is done to allow network access. 

We are implementing NAC for Non-Corporate Users (Wireless, wired and vpn access) and these users are domain joined to other domains. 

1. How can we provide secure access to these non-corporate users who are domain joined to other domains? (We can not join these others domains to ISE)

2. We want to make sure only these non-corporate machines (joined to other domains) are allowed network access and not any personal laptops.

3. We want to also check if these non-corporate machines have a valid Anti-virus as a posture assessment condition.

4. These users have domain credentials but we dont want them bringing their personal laptops and using those on the network. 

5. Can we use their domain to profile these non corporate users some how? How can we differentiate, Corporate machines with non corporate machines?

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-26-2019 08:29 AM

You have a variety of options you can use to accomplish most of your questions:
1. How can we provide secure access to these non-corporate users who are domain joined to other domains? (We can not join these others domains to ISE)
-You could setup client provisioning to force the non-domain joined computers to essentially be forced to download the ISE posture module or a temporary module that you can use to run scans/checks on these hosts. You will have to figure out a way to default these non-domain computers into a network that is restricted and that has a separate AuthZ profile that forces them to client provisioning portal.
2. We want to make sure only these non-corporate machines (joined to other domains) are allowed network access and not any personal laptops.
-You can leverage posture checks to determine this. One example, if you are aware of the other domain names you could do a registry check to determine if a certain string exists and if not deny access to personal laptops that technically would not be a part of a domain.
3. We want to also check if these non-corporate machines have a valid Anti-virus as a posture assessment condition.
-You can leverage posture checks here again to determine if a certain AV service is actively running.
4. These users have domain credentials but we dont want them bringing their personal laptops and using those on the network.
See answer to question 2.
5. Can we use their domain to profile these non corporate users some how? How can we differentiate, Corporate machines with non corporate machines?
-You can utilize the AD probe assuming that you have your NADs configured as device sensors. Using that probe you can utilize the attribute ADHostExists EQUALS True or False. Another example is if you are aware of the other domain naming conventions you could utilize the hostname string attribute.

Good luck & HTH!

View solution in original post

9 Replies 9

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-26-2019 08:29 AM

You have a variety of options you can use to accomplish most of your questions:
1. How can we provide secure access to these non-corporate users who are domain joined to other domains? (We can not join these others domains to ISE)
-You could setup client provisioning to force the non-domain joined computers to essentially be forced to download the ISE posture module or a temporary module that you can use to run scans/checks on these hosts. You will have to figure out a way to default these non-domain computers into a network that is restricted and that has a separate AuthZ profile that forces them to client provisioning portal.
2. We want to make sure only these non-corporate machines (joined to other domains) are allowed network access and not any personal laptops.
-You can leverage posture checks to determine this. One example, if you are aware of the other domain names you could do a registry check to determine if a certain string exists and if not deny access to personal laptops that technically would not be a part of a domain.
3. We want to also check if these non-corporate machines have a valid Anti-virus as a posture assessment condition.
-You can leverage posture checks here again to determine if a certain AV service is actively running.
4. These users have domain credentials but we dont want them bringing their personal laptops and using those on the network.
See answer to question 2.
5. Can we use their domain to profile these non corporate users some how? How can we differentiate, Corporate machines with non corporate machines?
-You can utilize the AD probe assuming that you have your NADs configured as device sensors. Using that probe you can utilize the attribute ADHostExists EQUALS True or False. Another example is if you are aware of the other domain naming conventions you could utilize the hostname string attribute.

Good luck & HTH!

Go to solution
TH09
Level 1
Level 1
In response to Mike.Cifelli

‎07-26-2019 09:07 AM

Hi Mike,

 

Solutions you provided to 2 and 5 makes the most sense but I dont know how to do those on ISE. Is there a document or something you can provide that I can use as a reference to go about testing those in the lab?

 

Really appreciate the help!

 

Thanks.

0 Helpful

Go to solution
TH09
Level 1
Level 1
In response to Mike.Cifelli

‎07-29-2019 09:02 AM

@Mike.Cifelli 

Regarding the following, if we are doing the registry checks, is it not easy for someone to copy/paste this registry to a personal machine to get around it?

 

2. We want to make sure only these non-corporate machines (joined to other domains) are allowed network access and not any personal laptops.
-You can leverage posture checks to determine this. One example, if you are aware of the other domain names you could do a registry check to determine if a certain string exists and if not deny access to personal laptops that technically would not be a part of a domain.

 

 

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to TH09

‎07-29-2019 10:07 AM

Your response is a fair statement. However, that would be under the assumption that non-domain users know what you check for and how to implement that info to personal laptops. I was providing one of many examples that could potentially be utilized. I would recommend thinking about other types of posture checks you think you could utilize on top of that one provided. Another idea is to use device profiling based on certain attributes :)

Go to solution
TH09
Level 1
Level 1
In response to Mike.Cifelli

‎07-29-2019 10:44 AM

@Mike.Cifelli 

 

Yes, device profiling with registry check is a solution that I am considering as well but when it comes to attributes, don't know which one to use/ or is best here?

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7

‎08-04-2019 11:48 AM

Another method that is much harder to circumvent is to demand a valid client certificate from the other domain. If there are certificates on those clients or if you can convince them to deploy certificates and 802.1X then you can validate the issuer as well as any subject field in ISE.

0 Helpful

Go to solution
TH09
Level 1
Level 1
In response to Peter Koltl

‎08-06-2019 07:50 AM

Please excuse my lack of knowledge on this but isn't it possible to take those certificates on the client and export/copy/paste to the hacker's machine?
0 Helpful
Customers Also Viewed These Support Documents