cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1650
Views
15
Helpful
5
Replies

ISE 2.2 authenticate only AD user (without the need for the machine to be in the AD domain)

Hi,

 

Could you help me with my doubt?

Can I use ISE 2.2 authenticate (Wireless_802.1X) only AD user (without the need for the machine to be in the AD domain)?

 

Best regards

LOURENÇO, Claudio

3 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: ISE 2.2 authenticate only AD user (without the need for the machine to be in the AD domain)

Hi,

Yes, you will need to configure the AD domain in ISE as an external identity source. Then configure the appropriate authentication and authorization rules in a policy. On the client computer (I assume windows) just configure it to use user authentication, select PEAP/MSCHAPv2 as the authentication protocol.

Highlighted
Contributor

Re: ISE 2.2 authenticate only AD user (without the need for the machine to be in the AD domain)

If the machine is not a domain member, then the user logon credentials are not suitable to authenticate the user in the domain for 802.1X. That is, Single Sign-on is not an option. Therefore  the client must be configured not to use the logon credentials for 802.1X (uncheck Enable single sign on for this network), and a 802.1X password popup window or a bubble will appear after the logon where the user must enter a valid domain username and password.

ajc Frequent Contributor
Frequent Contributor

Re: ISE 2.2 authenticate only AD user (without the need for the machine to be in the AD domain)

5 REPLIES 5
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: ISE 2.2 authenticate only AD user (without the need for the machine to be in the AD domain)

Hi,

Yes, you will need to configure the AD domain in ISE as an external identity source. Then configure the appropriate authentication and authorization rules in a policy. On the client computer (I assume windows) just configure it to use user authentication, select PEAP/MSCHAPv2 as the authentication protocol.

Re: ISE 2.2 authenticate only AD user (without the need for the machine to be in the AD domain)

I'm going to do a lab because I have an implementation Cisco ISE.

Thank you very much for your attention RJI.

 

ajc Frequent Contributor
Frequent Contributor

Re: ISE 2.2 authenticate only AD user (without the need for the machine to be in the AD domain)

Highlighted
Contributor

Re: ISE 2.2 authenticate only AD user (without the need for the machine to be in the AD domain)

If the machine is not a domain member, then the user logon credentials are not suitable to authenticate the user in the domain for 802.1X. That is, Single Sign-on is not an option. Therefore  the client must be configured not to use the logon credentials for 802.1X (uncheck Enable single sign on for this network), and a 802.1X password popup window or a bubble will appear after the logon where the user must enter a valid domain username and password.

Re: ISE 2.2 authenticate only AD user (without the need for the machine to be in the AD domain)

I did the lab and it worked!

Thank RJI and Peter Kolti very much for your attention.