Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE using AD credentials in an environment where most machines are not on AD


I am looking at ISE wired and wireless for a large university campus network. All users have AD accounts, and user login credentials will reside on AD. Most machines on the network are not on AD.

I would like to understand how 802.1x authentication process works for non AD machines, ie what is the users login experience with regards to passing credentials to ISE, and what does the background process look like?


Cisco Employee

ISE using AD credentials in an environment where most machines a


An unknown profile is the default system profile that is assigned to an endpoint, where an attribute or a set of attributes collected for that endpoint do not match with existing profiles in Cisco ISE. When an endpoint is dynamically discovered in Cisco ISE, and there is no matching endpoint profiling policy for that endpoint, it is assigned to the unknown profile. If there is no matching endpoint profiling policy for a statically added endpoint, then you can assign the unknown profile to an endpoint, and change it later. If you have an endpoint added statically to your network, the statically added endpoint is not profiled by the profiling service in Cisco ISE. For the statically added endpoint to be profiled, the profiling service computes a profile for the endpoint by adding a new MATCHEDPROFILE attribute to the endpoint. The computed profile is the actual profile of an endpoint when dynamically assigned. This allows you to find the mismatches between in profiling the statically added endpoint by using the computed profile with an endpoint profile for that endpoint when it is dynamically assigned.

The endpoint profiling policy is never changed for the statically added endpoint. For the endpoint that is statically assigned, the profiling service computes the MATCHEDPROFILE. For all the endpoints that are dynamically assigned, the MATCHEDPROFILEs are identical to the endpoint profiles.

New Member

ISE using AD credentials in an environment where most machines a

Hello Muhammad,

thanks for the reply, but I think you have misunderstood my question. Surely ISE will identify the non AD machine as a Windows PC, so unknown profile does not apply. I would like to know the authentication process for a windows machine that is not on AD. Any help would be much appreciated.