Machine authentication is something which can ensure only corporate devices are connecting to office wired or wireless network. Using Cisco ISE we can validate the machine authentication and ensure users are not using their corporate credentials on personal devices to access resources. For example a corporate user can use their corporate credential on personal mobile phone to access corporate wifi. When we configure machine based authentication we can avoid such situation.
There are two things which we need to configure:
1> End user machine NIC setting
2> ISE authentication, authorization profile and MAR cache.
Configuration of Cisco ISE for machine authentication.
First we need to integrate Cisco ISE with active directory, check this post for it.
Ensure Domain computers group is added on the ISE. Navigate to Administration > Identity Management > Select the desired AD where we need machine authentication > Select group and click on Add > Select group from Directory
Search for domain* in the highlighted field > Click Retrieve Groups
Now ensure Domain computers is present in the Groups tab. Click Save
Click on Advanced Setting and configure MAR cache, MAR cache will be used to store the machine authentication information. Aging time will specify for how long the machine authentication will be stored.
Now we need to configure policy set, Either we can update existing policy set or create a new one. In this post we will configure a new policy set. Navigate to policy and click on + icon
Below is the policy we need to configure:
Below is Step by step configuration of above shown policy:
Give a name, click on + icon under conditions tab
Under condition we need to be careful if ISE is already in production. If we are testing for a test SSID we can configure the SSID name, If we are doing for a test switch we can configure the switch IP address, In case of production switch we can even do testing on port basis
For wired-switch we can specify switch IP from which the authentication request will come to Cisco ISE, In this case the IP address which switch will use to communicate with ISE is 10.106.37.117, we can also do testing on port basis by specify the port where the test user will connect.
Under allowed protocol Select “Default Network Access”
Click on save
Configure Default Authentication Policy, Change the Identity store to the AD joint point name:
Expand the authorization policy and click on + icon
Click on highlighted area and select the domain computers
Select the external group added in earlier step.
Under profiles select “PermitAccess” here a different profile can be selected as needed.
Create another authorization policy by clicking on + icon and keep the condition as below: Here we are configuring that ISE should only allow access to user only when the machine authentication have happen and user is part of domain users.
Select domain users in first conditon and in second select “was machine authenticated as true”
Finally second condition will be as below
The second policy will look like below