Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
444
Views
5
Helpful
2
Replies

cisco ISE 2 way authentication

Mohamed Kabeer S
Level 1
Level 1

‎10-29-2019 11:52 PM

Dear All,

I am looking for 2 way authentication in cisco ISE. We are using cisco ISE 2.2 and I want to achieve Mac and AD based authentication. I want create one group of endpoints mac Address and I want to know those endpoint to authenticate with my AD to allow access.

Could you please advise how we can do.

 

REgards,

Kabeer

0 Helpful
2 Replies 2

JohnNewman7082
Level 1
Level 1

‎10-30-2019 07:52 AM

Hi Kabeer,

  It sounds like you are looking for a solution like Cisco ISE Easy Connect:

https://community.cisco.com/t5/security-documents/ise-easy-connect/ta-p/3638861

 

Basically, this flow allows your computers to authenticate via MAB to your network.  This creates a MAC to IP binding in ISE.  When the user logs into the computer, that hits against AD.  This creates a USER to IP binding in AD.  ISE can then reach out to AD through the WMI connector to pull the User to IP binding to match the IP to MAC binding on ISE.  This creates the MAC to User binding.

 

I am not a huge fan of this solution.

If you are looking to ensure the computer is a company issued machine, i would suggest to do Eap-Chaining with Cisco Anyconnect or machine and user auth with the windows native supplicant.   This would authenticate the machine to AD and then have the user authenticate to AD.   Your live logs will still have the MAC address and i believe Context Visibility in ISE will also show the link. 

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to JohnNewman7082

‎10-30-2019 10:02 AM

Adding to @JohnNewman7082 remarks.

 

Introducing NAM and potentially using certificates to accomplish eap-tls auth and/or eap-chaining will introduce several new components and a lot more admin overhead.  I think most would agree that the native supplicant is much easier to use.  However, I can tell you from my experience that NAM offers eap-chaining via eap-fast, single sign-on, and some other things that may be of potential interest that the native supplicant cannot do.  Ultimately, I think your requirements will drive your decision on what supplicant to use.  

 

Something else to consider that may aide in determining if hosts are a part of your domain/a company asset is device profiling.  You could essentially push authz results based on profiled endpoint groups in ISE.  Note that plus licensing would be needed in this type of scenario.  One profiling condition that may be of interest to you is the AD Host Exists EQUALS true/false.  Another possibility is using the ISE posture module to do reg checks to ensure the host is a member of your domain.  Again, this creates additional management due to more software.  Just thought I should mention it.  Anyways, HTH & Good luck!

0 Helpful
Customers Also Viewed These Support Documents