12-23-2015 07:32 AM - edited 03-10-2019 11:21 PM
Hi,
I'm want to identify Corporate devices against BYOD. So, I'm thinking of using condition "WasMachineAuthenticated", Here is my config:
ISE 1.3 Patch 3
Windows 7 Supplicant with Machine and User Auth. Using PEAP.
I have policy for Machine Auth and User Auth.
In External Identity Sources, MAR is enabled with 192 hrs Aging Time.
Lately, I have been reading up on this subject, and I have come across several comments about certain caveats. What are those caveats?
Has anybody succesfully implementied this feature ? BTW, for me EAP Chaining is not an option.
Thanks !
Tony
Solved! Go to Solution.
12-23-2015 03:08 PM
Hi Tony-
Yes, MAR comes with many limitations and gotchas and as a result, I would highly recommend that you avoid it. I have posted about this in previous threads. Take a look at the following links and let me know if you have any other questions:
https://supportforums.cisco.com/discussion/12209441/cisco-ise-machine-failed-machine-authentication
If EAP-Chaining is not an option then you have some other options:
1. You can use profiling and the help of DHCP class-identifier to distinguish corp machines vs non-corporate
2. You can utilize posture assessment and have the NAC agent look for some hidden file or registry that only corporate machines have (Both the file and registry can be pushed via GPO)
3. You can also make the authentication to be "Machine Only" This will prevent non-domain joined machines from authenticating
I hope this helps!
Thank you for rating helpful posts!
12-28-2015 12:33 PM
Hmm, I believe the "username" for machines when using PEAP is something like this "host/FQDN..." Thus, you could probably use a rule that states if the RADIUS username "contains" either your domain or a pattern used by machines on your domain.
However, the easiest way to distinguish between domain joined and non-domain joined is the have ISE check with AD. Thus, your rule can have something like this:
1. If "external group" = "domain computers"
2. If "identity access restricted" = "false"
3. Then "full access"
This will ensure that the computer that is trying to authenticate and authorize on the network is actually joined to the domain. One thing you will need to make sure that your AD is locked down because I think by default any domain users can join up to 10 workstations to the domain.
Thank you for rating helpful posts!
12-23-2015 03:08 PM
Hi Tony-
Yes, MAR comes with many limitations and gotchas and as a result, I would highly recommend that you avoid it. I have posted about this in previous threads. Take a look at the following links and let me know if you have any other questions:
https://supportforums.cisco.com/discussion/12209441/cisco-ise-machine-failed-machine-authentication
If EAP-Chaining is not an option then you have some other options:
1. You can use profiling and the help of DHCP class-identifier to distinguish corp machines vs non-corporate
2. You can utilize posture assessment and have the NAC agent look for some hidden file or registry that only corporate machines have (Both the file and registry can be pushed via GPO)
3. You can also make the authentication to be "Machine Only" This will prevent non-domain joined machines from authenticating
I hope this helps!
Thank you for rating helpful posts!
12-24-2015 08:14 AM
Hi Neno,
Thanks for the links ! I'll scrap MAR for now. Not a viable option anymore.
For now, I'm using only RADIUS probe for profiling. In the new year, I'll enable DHCP probe.
One more question:
I'm was thinking of using Computer name to distinguish Corp vs non-corp. In Authorization Compound list, is there a condition that would allow me to use Computer name?
Thanks again
Tony
12-28-2015 12:33 PM
Hmm, I believe the "username" for machines when using PEAP is something like this "host/FQDN..." Thus, you could probably use a rule that states if the RADIUS username "contains" either your domain or a pattern used by machines on your domain.
However, the easiest way to distinguish between domain joined and non-domain joined is the have ISE check with AD. Thus, your rule can have something like this:
1. If "external group" = "domain computers"
2. If "identity access restricted" = "false"
3. Then "full access"
This will ensure that the computer that is trying to authenticate and authorize on the network is actually joined to the domain. One thing you will need to make sure that your AD is locked down because I think by default any domain users can join up to 10 workstations to the domain.
Thank you for rating helpful posts!
01-05-2016 10:50 AM
Hi Neno,
I would like to start off by wishing you a good 2016. This morning, I was back from holiday's.
I found your last post very interesting. The RADIUS username works as expected. However, if the user enters "domain\username", ISE will grant the user access. I'm trying to see if I can make this solution work for me.
The second option doesn't apply to me because the user is matching the User Auth Policy not the Machine Auth.
Meanwhile, there's a condition called Microsoft:MS-Machine-Name in the Microsoft condition list. Do you know how to populate this parameter ?
Thanks !
Tony
03-20-2016 07:15 PM
Hi Tony and happy new year to you as well!! I am very sorry but somehow the notification message about this thread ended up in my Spam Folder :(
Were you able to find a solution about your issue? If not, pls let me know where things stand now and I will try to help you.
Best regards!
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide