Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
Quick context - ISE 3.2 distributed deployment. 802.1x authentication policy sets have the following as our primary authZ policy for corporate machines:The question I have is based on the external group condition. Is ISE looking for a user certific...
We're experiencing similar issues on various systems. The biggest thing we did was to get SAN URI added to the certificates with the intune device id. MAC address is considered legacy and especially when certain devices are behind docking stations ...
Yes, there are some machines hitting the machine only rules:Most of them legitimately presenting machine certificates, some with user identities (contractors) which is something I need to figure out separate from all this.
ok, so since we're set to "Any Subject or Alternative Name Attributes in the Certificate (for Active Directory Only)" it's taking any identity in the certificate (cn, san etc.) and checking it against AD. That being the case, if the device presents ...
for anyone looking at this in 2024, according to TAC: access-session closed overrides a preauth ACL and only allows EAPOL traffic. If, like me, you're trying to run in enforcement mode but you have a lot of MAB clients but don't want the unfettered...
