Machine authentication is something which can ensure only corporate devices are connecting to office wired or wireless network. Using Cisco ISE we can validate the machine authentication and ensure users are not using their corporate credentials on personal devices to access resources. For example a corporate user can use their corporate credential on personal mobile phone to access corporate wifi. When we configure machine based authentication we can avoid such situation.
There are two things which we need to configure:
1> End user machine NIC setting
2> ISE authentication, authorization profile and MAR cache.
Configuration of Cisco ISE for machine authentication.
First we need to integrate Cisco ISE with active directory, check this post for it.
Ensure Domain computers group is added on the ISE. Navigate to Administration > Identity Management > Select the desired AD where we need machine authentication > Select group and click on Add > Select group from Directory
![domain computers group](https://clicksolution.org/wp-content/uploads/2023/10/image-48.png)
Search for domain* in the highlighted field > Click Retrieve Groups
![search for domain computers](https://clicksolution.org/wp-content/uploads/2023/10/Screenshot-2023-10-21-134434.png)
![select the domain computers](https://clicksolution.org/wp-content/uploads/2023/10/Screenshot-2023-10-21-134559-1.png)
Now ensure Domain computers is present in the Groups tab. Click Save
![final look and feel of groups](https://clicksolution.org/wp-content/uploads/2023/10/image-49.png)
Click on Advanced Setting and configure MAR cache, MAR cache will be used to store the machine authentication information. Aging time will specify for how long the machine authentication will be stored.
![machine-authentication-with-cisco-ise](https://clicksolution.org/wp-content/uploads/2023/10/Screenshot-2023-10-21-161211.png)
Now we need to configure policy set, Either we can update existing policy set or create a new one. In this post we will configure a new policy set. Navigate to policy and click on + icon
Below is the policy we need to configure:
![entire policy for machine authentication using Cisco ISE.](https://clicksolution.org/wp-content/uploads/2023/10/Screenshot-2023-10-21-153455-1024x549.png)
Below is Step by step configuration of above shown policy:
![new policy set](https://clicksolution.org/wp-content/uploads/2023/10/image-50.png)
Give a name, click on + icon under conditions tab
![condition for authentication policy](https://clicksolution.org/wp-content/uploads/2023/10/Screenshot-2023-10-21-135244.png)
Under condition we need to be careful if ISE is already in production. If we are testing for a test SSID we can configure the SSID name, If we are doing for a test switch we can configure the switch IP address, In case of production switch we can even do testing on port basis.
![condition studio](https://clicksolution.org/wp-content/uploads/2023/10/image-51-1024x407.png)
For wired-switch we can specify switch IP from which the authentication request will come to Cisco ISE, In this case the IP address which switch will use to communicate with ISE is 10.106.37.117, we can also do testing on port basis by specify the port where the test user will connect.
![switch and nas-port id condition](https://clicksolution.org/wp-content/uploads/2023/10/image-53-1024x359.png)
Under allowed protocol Select “Default Network Access”
![allowed protocol](https://clicksolution.org/wp-content/uploads/2023/10/image-54.png)
Click on save
Configure Default Authentication Policy, Change the Identity store to the AD joint point name:
![authentication policy](https://clicksolution.org/wp-content/uploads/2023/10/Screenshot-2023-10-21-152210-1024x298.png)
Expand the authorization policy and click on + icon
![authorization policy](https://clicksolution.org/wp-content/uploads/2023/10/Screenshot-2023-10-21-152356-1024x359.png)
![authorization condition](https://clicksolution.org/wp-content/uploads/2023/10/Screenshot-2023-10-21-152523-1024x387.png)
Click on highlighted area and select the domain computers
![domain computers condition](https://clicksolution.org/wp-content/uploads/2023/10/Screenshot-2023-10-21-152614-1024x377.png)
Select the external group added in earlier step.
![select external group](https://clicksolution.org/wp-content/uploads/2023/10/Screenshot-2023-10-21-152742.png)
![domain computer in condition](https://clicksolution.org/wp-content/uploads/2023/10/Screenshot-2023-10-21-152832.png)
Under profiles select “PermitAccess” here a different profile can be selected as needed.
![Permit access for authenticated machine.](https://clicksolution.org/wp-content/uploads/2023/10/image-56.png)
![final Cisco ise machine authentication policy](https://clicksolution.org/wp-content/uploads/2023/10/image-59-1024x176.png)
Create another authorization policy by clicking on + icon and keep the condition as below: Here we are configuring that ISE should only allow access to user only when the machine authentication have happen and user is part of domain users.
Select domain users in first conditon and in second select “was machine authenticated as true”
![user authentication and machine authentication condition](https://clicksolution.org/wp-content/uploads/2023/10/Screenshot-2023-10-21-153236-1024x550.png)
Finally second condition will be as below
![user authentication and machine authentication final condition](https://clicksolution.org/wp-content/uploads/2023/10/image-57-1024x386.png)
The second policy will look like below
![Final policy](https://clicksolution.org/wp-content/uploads/2023/10/image-58-1024x185.png)