I configured my ISE on the network
Now if user enter domain account (active directory), he have full access on the network
But some user use their personal computer and their domain account to acces the network
How can I add second requirement befor access the network
The second requirement should be to check that computer have been added in the domain
Please can you help me with step by step configuration ?
This is a common requirement.
Firstly you need to understand the windows 802.1x built in supplicant doesn't do user and machine authentication simultaneously. It will do machine auth prelogin, and then on login it will do user auth. Never both at exact same time.
You have a few options.
1. Don't have a user auth rule. Just base rule on AD computer group. Configure machines for machine auth only.
2. Use Machine access restrictions (MAR) - ISE can have a rule that says - no user auth allowed unless successful machine auth is preformed prior.
3. Use EAP chaining. This currently means using cisco anyconnect NAM client instead of windows supplicant. This client can do user and machine auth at same time.
4. Use some other kind of profiling or posture for ISE to check if machine is "corporate asset".
I don't recommend using MAR. It has a few drawbacks. EAP chaining is good for windows clients.
Please see the below vedio for configuring user and Machine Authentication with EAP Chaining
You may also use the below link,
Machine Access Restriction and Active Directory Users:
Cisco ISE Release 1.1 contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.
Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the “Time to Live” parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.
When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:
• If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a
successful authorization should be assigned.
• If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for
a successful user authentication without machine authentication should be assigned.
Cisco ISE allows you to restrict network access for user accounts that are based on authentication settings that you configure for attributes and passwords associated with the user accounts. When defining user accounts, you can manage network access in the following ways:
• Use pre-defined system attributes or create custom attributes
• Define authentication settings that form a password policy
By default, Cisco ISE is set up to provide internal administrator authentication. Therefore, to set up external authentication, you need to create a password policy for the external administrator accounts that you define on the external identity stores. You can then apply this policy to the external administrator groups that eventually become a part of the external administrator RBAC policy.
In addition to providing authentication via an external identity store, your network may also require you to use a Common Access Card (CAC) authentication device.
Next, you will need to create an external Active Directory or LDAP administrator group. This ensures that Cisco ISE uses the username that is defined in the external Active Directory or LDAP identity store to validate the administrator username and password that you entered upon login.
Cisco ISE imports the Active Directory or LDAP group information from the external resource and stores it as a dictionary attribute. You can then specify that attribute as one of the policy elements when it is time to configure the RBAC policy for this external administrator authentication method.
For more information regarding step by step configuration please go through this link:
Hi and thanks for your answer
I read many document about user and machine authentication(wired and wireless)
I would like to know what is the best and more efficient methode to use (I don't want to install any software on my computer)
- EAP chaining
- others ...
I read many document and I see that with PEAP Machine authentication only happens at the Windows login
So if the user login on their computer(open windows session) then connect on the switch how the ISE will do the machine authentication ?
The Link below might help you for the machine authentication:-
If I use PEAP
I would like to know what hapen if user open session (machine and user are authenticated correctly)
Then after many hour he disconnect his network cable from the switch and connect it again after 5 min
As he doesnt open new windows session, will he get access on the network(successfull machine authentication)
without open windows session again ?