Cisco Support Community
Community Member

PC Still Can Access Network without Joining AD in ISE Environment

Hi Folks,

I'm new to ISE and I have a problem about access control with ISE and here's my situation:

The wired 802.1X is deployed with windows AD using ISE. For now, Clients joined the domain can access the network well, however, for computers which havn't joined the domain can also access the network if the users know their account of the domain. They can start the 802.1X service by themselves and configure the network card properly, connect the network cable, when the windows dialog pops up, the user can enter the username starts with the domain like "mydomain\username"(mydomain is the domain name) and the passowrd, then the computer can gain the access just like it had joined the domain. So I think there may be some mistakes with my Authentication and Authorization Policy.

My authentication policy is configured like this:

authentication policy.jpg

the ChinaPnR-ISE is the AD name

My authorization policy is configured like this:

authorization policy.jpg

I'm wondering if I can add one condition to math the hostnames of the windows as computers which had joined have the unified format?


CreatePlease to create content