Machine authentication with Cisco ISE

Machine authentication is something which can ensure only corporate devices are connecting to office wired or wireless network. Using Cisco ISE we can validate the machine authentication and ensure users are not using their corporate credentials on personal devices to access resources. For example a corporate user can use their corporate credential on personal mobile phone to access corporate wifi. When we configure machine based authentication we can avoid such situation.

There are two things which we need to configure:

1> End user machine NIC setting

2> ISE authentication, authorization profile and MAR cache.

Configuration of Cisco ISE for machine authentication.

First we need to integrate Cisco ISE with active directory, check this post for it.

Ensure Domain computers group is added on the ISE. Navigate to Administration > Identity Management > Select the desired AD where we need machine authentication > Select group and click on Add > Select group from Directory

domain computers group

Search for domain* in the highlighted field > Click Retrieve Groups

search for domain computers

select the domain computers

Now ensure Domain computers is present in the Groups tab. Click Save

final look and feel of groups

Click on Advanced Setting and configure MAR cache, MAR cache will be used to store the machine authentication information. Aging time will specify for how long the machine authentication will be stored.


Now we need to configure policy set, Either we can update existing policy set or create a new one. In this post we will configure a new policy set. Navigate to policy and click on + icon

Below is the policy we need to configure:

entire policy for machine authentication using Cisco ISE.

Below is Step by step configuration of above shown policy:

new policy set

Give a name, click on + icon under conditions tab

condition for authentication policy

Under condition we need to be careful if ISE is already in production. If we are testing for a test SSID we can configure the SSID name, If we are doing for a test switch we can configure the switch IP address, In case of production switch we can even do testing on port basis.

condition studio

For wired-switch we can specify switch IP from which the authentication request will come to Cisco ISE, In this case the IP address which switch will use to communicate with ISE is, we can also do testing on port basis by specify the port where the test user will connect.

switch and nas-port id condition

Under allowed protocol Select “Default Network Access”

allowed protocol

Click on save

Configure Default Authentication Policy, Change the Identity store to the AD joint point name:

authentication policy

Expand the authorization policy and click on + icon

authorization policy

authorization condition

Click on highlighted area and select the domain computers

domain computers condition

Select the external group added in earlier step.

select external group

domain computer in condition

Under profiles select “PermitAccess” here a different profile can be selected as needed.

Permit access for authenticated machine.

final Cisco ise machine authentication policy

Create another authorization policy by clicking on + icon and keep the condition as below: Here we are configuring that ISE should only allow access to user only when the machine authentication have happen and user is part of domain users.

Select domain users in first conditon and in second select “was machine authenticated as true”

user authentication and machine authentication condition

Finally second condition will be as below

user authentication and machine authentication final condition

The second policy will look like below

Final policy

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.