Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1103
Views
1
Helpful
7
Replies

New PC add to AD without whitelisting..

Thea OEM
Level 1
Level 1

‎08-21-2023 11:50 PM

Hi team,

I have ISE version 3.1 patch 6 integrated with AD.

*New PC add to AD :

1. Whitelist Mac address of the PC on ISE.

2. Whitelist Mac address of the USB network adapter on ISE.

QA- Do you have another solution to add a new PC to AD without whitelisting?

Labels:
0 Helpful
7 Replies 7

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-23-2023 12:36 AM

Hi @Thea OEM,

MAC address authentication is usually used only when there is no other way of performing authentication (e.g. dummy device that doesn't support 802.1x like printers, CCTV and similar).

Given that you have AD and ISE, I would advise to migrate from MAB to dot1x authentication, and that way, you don't need to deal with MAC addresses anymore, as you'll do AD join anyway. There are numerous posts an guides on dot1x implementation, so look it up on this community.

Kind regards,

Milos

0 Helpful

Thea OEM
Level 1
Level 1
In response to Milos_Jovanovic

‎08-23-2023 07:58 PM

Hello @Milos_Jovanovic 

sure, I used 802.1x for pc and MAB for IoT device. when we have new PC need to add AD we plugin to the network to get IP but this PC will not can access to network resource anymore because we set policy condition :

Posture check required : user AD + Ani-malware 

+our solution whitelist this pc to add AD first, pc will get AD certificate, Anyconnect agent scan compliance then we removed whitelist back. 

My purpose : Find anather sulotion because we don't want whitelisting.

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to Thea OEM

‎08-24-2023 12:03 AM

If you'r policy is to use whitelisting, then you don't really have much options other to whitelist it.

What you could consider is a different approach then whitelisting. You could use PEAP/EAP-TLS approach - use dual SSID approach - authenticate PC via user credentials, and quarantine it, so it gets neccessary config, such as cert and appropriate WiFi profile, and upon enrollment, it will re-authenticate with cert with full access. Similar can be done for wired access, if needed. This way, if user is using only credentials, he ends up with limited access, and is motivated to complete cert-based authentication.

Kind regards,

Milos

Thea OEM
Level 1
Level 1
In response to Milos_Jovanovic

‎08-24-2023 01:32 AM

Hi @Milos_Jovanovic 

Appreciate, thank you for your advice.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎08-23-2023 01:58 AM

Most cased in the Corporate Environement PC build using certs - so that can be identified by Local PKI infrastructure to join the Domain.

Do you have 802.1x environment ? why you looking to MAB (is this not standard Build ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Thea OEM
Level 1
Level 1
In response to balaji.bandi

‎08-23-2023 08:02 PM

Hello @balaji.bandi 

 

sure, I used 802.1x for pc and MAB for IoT device. when we have new PC need to add AD we plugin to the network to get IP but this PC will not can access to network resource anymore because we set policy condition :

Posture check required : user AD + Ani-malware 

+our solution whitelist this pc to add AD first, pc will get AD certificate, Anyconnect agent scan compliance then we removed whitelist back. 

My purpose : Find anather sulotion because we don't want whitelisting.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Thea OEM

‎08-24-2023 01:43 AM

You make a different policy for onboarding devices to get basic requirement to join the AD.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents