Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
474
Views
0
Helpful
2
Replies

ISE using AD credentials in an environment where most machines are not on AD

mamckenn
Level 1
Level 1

‎10-03-2013 04:56 AM - edited ‎03-10-2019 08:57 PM

Hello

I am looking at ISE wired and wireless for a large university campus network. All users have AD accounts, and user login credentials will reside on AD. Most machines on the network are not on AD.

I would like to understand how 802.1x authentication process works for non AD machines, ie what is the users login experience with regards to passing credentials to ISE, and what does the background process look like?

thanks!

Labels:
0 Helpful
2 Replies 2

Muhammad Munir
Level 5
Level 5

‎10-04-2013 02:08 AM

Hi

An unknown profile is the default system profile that is assigned to an endpoint, where an attribute or a set of attributes collected for that endpoint do not match with existing profiles in Cisco ISE. When an endpoint is dynamically discovered in Cisco ISE, and there is no matching endpoint profiling policy for that endpoint, it is assigned to the unknown profile. If there is no matching endpoint profiling policy for a statically added endpoint, then you can assign the unknown profile to an endpoint, and change it later. If you have an endpoint added statically to your network, the statically added endpoint is not profiled by the profiling service in Cisco ISE. For the statically added endpoint to be profiled, the profiling service computes a profile for the endpoint by adding a new MATCHEDPROFILE attribute to the endpoint. The computed profile is the actual profile of an endpoint when dynamically assigned. This allows you to find the mismatches between in profiling the statically added endpoint by using the computed profile with an endpoint profile for that endpoint when it is dynamically assigned.

The endpoint profiling policy is never changed for the statically added endpoint. For the endpoint that is statically assigned, the profiling service computes the MATCHEDPROFILE. For all the endpoints that are dynamically assigned, the MATCHEDPROFILEs are identical to the endpoint profiles.

0 Helpful

mamckenn
Level 1
Level 1
In response to Muhammad Munir

‎10-09-2013 03:24 AM

Hello Muhammad,

thanks for the reply, but I think you have misunderstood my question. Surely ISE will identify the non AD machine as a Windows PC, so unknown profile does not apply. I would like to know the authentication process for a windows machine that is not on AD. Any help would be much appreciated.

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents