Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1297
Views
0
Helpful
2
Replies

Restricting users to Logon to Domain

shoeb_net_scs
Level 1
Level 1

‎09-21-2011 11:34 AM - edited ‎03-10-2019 06:25 PM

Dear All,

As Cisco ACS/ ISE is capable of Machine Authentication such as checking if the machine is joined to domain through certificate, is it possible by using dot1x restrict user to logon to windows domain instead of logging locally on the windows machine using local username and password.

When User logs on to windows machine PEAP will popup a window for the authentication, user will put domain user and password to get connected to the network. In my scenario user first logon to machine using local user name and password and once prompted he/she puts domain user name and password for dot1x. which allows them not to be restricted from domain policies.

We have policy that users should not have network access unless he/she logs on the windows domain. We are in phase of Deploying Cisco ISE, I am wondering if I can achieve it using Cisco ACS/ISE

Thanks in Advance for all your help, Sorry if it is already discussed.

Shoeb Ahmed,

Labels:
0 Helpful
2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

‎10-04-2011 08:09 PM

Can you please elaborate your scenario, are the users using different credentials to login to the machine versus the supplicant? You should be able to issue a group policy where the supplicant uses the windows credentials and lock that down for all users.

Also if you only want corporate issued devices on the network you can enable machine access restriction (MAR) this will only allow users that authenticate from domain issued laptops.

Let me know if this helps any,

Tarik Admani

0 Helpful

shoeb_net_scs
Level 1
Level 1
In response to Tarik Admani

‎10-06-2011 12:56 PM

Dear Tarik,

Thanks for your interest, MAR will make sure that machine is authenticated. My requirement says that the machine should be corporate machine which MAR fullfills, also the management want the user should not be able to logon locally even if he has admin password of the local machine. Is it possible to restrict users to restrict not to logon locally on the machine.

To be more specific, we need to make supplicant to integrated authentication, than prompting users to username and password.

Thanks,

Shoeb

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents