Solved: Wireless 802.1x with Cisco ISE

Djash · ‎10-18-2022

I created and authorization rule to allow domain users AND computers but it is not working. It works for domain users only. I think I am having the issue with authenticating domain computers. I need help to authenticate domain computers. My goal is to only allow domain users AND domain computers to login to the SSID.

Karsten Iwen · ‎10-19-2022

Then your Authorisation policy is wrong and not matching on the Domain PCs. You need to:

Have the "Domain Computers" group added in your AD External Identity Sources
Have an authorisation rule that matches on this group and assigns the right permissions

View solution in original post

Karsten Iwen · ‎10-19-2022

Are the computers properly joined into the domain?
Is the supplicant configured for user *and* machine authentication?
What is in the ISE authentication live log / authentication detail report when the computer starts up?

Djash · ‎10-19-2022

Yes, the computers are on the domain
Confirmed that the supplicant is allow user OR computers ( i am using the default supplicant for windows 10)
the log shows that it hits the default rule (Deny Access)

Karsten Iwen · ‎10-19-2022

Then your Authorisation policy is wrong and not matching on the Domain PCs. You need to:

Have the "Domain Computers" group added in your AD External Identity Sources
Have an authorisation rule that matches on this group and assigns the right permissions

Djash · ‎11-04-2022

I realized that the computers where not in the users/domain computers directory. I created a separate group for only laptops that can join the SSID then it works.