Recommended Posts

Can you post your ISE application status?

show appli status ise

 

Mine this is disabled

TC-NAC Service                         disabled

 

Never good to be the only guy, you will never have a proper vacation. I changed work 4 weeks ago and here we are only 4, in my previous we were in 27 in my team, 9 in the other team and 40 networking consultants.

Hmm, and I am sitting here thinking you're using ISE and you have kind similar config. What are you using? NPS?

Here is the thing...if the computer is joined to the domain it is trusted and can go onto the trusted network(s) either wired or wireless.  It is both controlled by radius....if I disable the computer/take them out of the groups they won't auth. 

 

Yes NPS is what I use. 

 

If it has not been a joined computer it goes into a more secure vlan only giving access to certain servers/applications via rules/ACLs. Think Ipads and other smart devices.

 

 

I do computer based auth instead of user based auth for the simple fact that if a user password expires and they don't change it prior to being forced, they will not be able to auth or get a network connection when they are forced to change it.  Users must be on a network connected to AD for them to change their passwords...

 

You could get around that a few ways but it leaves your AD server(s) open to anyone who connects.  Creating a restricted default vlan that they connect to and creating rules that only allow communication to the AD servers....but if you just did computer auth, that would be good enough as you trust the computers you hand out to users (for the most part anyway).

 

Similar config sure, not exact as yours...

 

 

INternet proxy/web filter handles the captive portal to the internet

NPS handles wired and wireless auth to the network as well as vlan assignment based on AD groups

 

 

 

 

 

This is what my NPS site looks like...somethings changed around but you get the idea. 

 

Each NPS server essentially supports a building...buildings have a point to point fiber because they are across the parking lot.  It is easier when making rules up as I don't have to be so granular.  I tried combining multiple "clients" in a rule, but they never successfully auth'd (probably because the rule is an "And" not an "OR" statement, but you can't exactly see it nor is it documented which way it is).

 

 

 

 

1.jpg

Yeah, we use computer based authentication as well for some other reasons. At this time we are gonna go with wired access in ISE and when we are done we'll change focus on wireless though wireless is already uses dot1x (meraki and nps at this time, but will go over to ISE).

 

When I'm done with MAB I'll configure guest access, captive portal for them and when that is done then I can move wireless from nps to ise. This captive portal is not as easy as thought though.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.