Re: Cisco ISE 2.3 Problrm Join to Domain

ali.mousavizadeh · ‎02-17-2018

Hi

I recently installed Cisco ISE 2.3 and I want to create a policy that only Users and computers Join to the domain can connect to the network. I'll use the policy below:

I also have the following configurations:

But a number of users occasionally encounter this problem:

According to reports, when users Lock or Sleep computers, this problem is most likely to occur.

Please guide me about this.
Thankful

Flavio Miranda · ‎02-17-2018

Hi @ali.mousavizadeh

The screenshot you provided is related to the integration between ISE and Domain. This is actually required but it is not there where you are going to enforce that Users and Machine gets authenticated in order to proceed in the network.

There is one way to achieve Machine+User authentication through ISE. You need to create two rules in Authorization policy as below

1st Rule :

ExternalGroups==Domain Computers

With the 1st rule , machine will get authorized access when machine boots up ( Before user enters his credentials)

2nd Rule:

NetworkNAccess:WasMachineAuthenticated ==True

AND

ExternalGroups==Domain Users

User will enter credentials and he will get authorized access because of 2nd Rule.

The Windows clients need to be proper configured either locally or using GPO.

-If I helped you somehow, please, rate it as useful.-

ali.mousavizadeh · ‎02-17-2018

Thank you for your support @Flavio Miranda

But I sent this screenshot to my previous question:

I think it's exactly the rolls you said.

My problem is with the users who Lock or sleep or Hibernate their computers.
Sometimes I encounter the problem I mentioned above.

Thanks

Flavio Miranda · ‎02-18-2018

I can't see the screenshot, could attach it again?

-If I helped you somehow, please, rate it as useful.-

ali.mousavizadeh · ‎03-18-2018

Sorry for the delay @Flavio Miranda
I Attached again