Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ISE - Computer and User Authenticiation on AD for Wireless Clients.

Hello all,

I am trying to configure Cisco ISE to authenticate/authorize Wireless access with PEAP MsChapv2.

The AD user authorization works fine, but I cannot see on the logs a challenge for the computer verification (it must be a domain member).

I have found an attribute I would use for this action, but I cannot use it, because I don't see the challenge for the computer challenge.

Can you explain me if this fact is involved by the ISE configuration or by the client configuration ?

Thanks a lot for your help.

 

The followings screenshots show the logs appearing in the ISE :  

 

Kind regards, Emeric.

 

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

well from the log it seem you

well from the log it seem you have authenticated the users based on the AD where once the user is authenticated the second policy for computer member of domian is not check as the user is already given approval for access .This is the reason your second policy is not used and no log is generated.

6 REPLIES
Silver

well from the log it seem you

well from the log it seem you have authenticated the users based on the AD where once the user is authenticated the second policy for computer member of domian is not check as the user is already given approval for access .This is the reason your second policy is not used and no log is generated.

New Member

test.

test.

New Member

Hi Kashif,Thanks for your

Hi Kashif,

Thanks for your answer.

You're right, I don't have created an authenication rule about Workstations, only a rule for users.

I will try and give you my result.

Regards, Emeric.

New Member

Kashif,I don't find a method

Kashif,

I don't find a method to create a rule for my "Identity Source Sequence" or an Endpoint Identities Rules where I can specify the computer member of domain check... Only MAC address filter...

Can you tell me where I can create this policy ?

Thanks a lot !

Regards, Emeric.

This is a great question and

This is a great question and I wanted to add my input and I have a question as well. My understanding in order to do both Machine and User EAP-Chaining is required, which used EAP-FAST. 

 

In my testing, when a domain box is configured for computer/user authentication. When the laptop started up it will authenticate with a host/ and sid in the log.

 

When the user logs in you then see the user ID.

 

For my benefit when rule are you talking about ?

 

Thank you 

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Hi,To close this topic, I

Hi,

To close this topic, I have found those videos :

For PEAP : http://www.youtube.com/watch?v=amUQz4-GLgs

For EAP-TLS : http://www.youtube.com/watch?v=OCqLRzuqCW8

 

I have tested PEAP : it works ! :)

 

Regards, Emeric.

178
Views
0
Helpful
6
Replies
CreatePlease to create content