Security

Hi , I have a customer requirement.
DHCP fingerprinting is used which returns vendor , device category .os version etc.

The requirement is to have a fqdn in the profiling to see whether it's a domain machine or external machine when both internal and external hit the mab rule .

For valid internal user having machine certificates it will go for eap TLS

But if cert expired or corrupted , and internal user hit mab , how profiling segrgate it from an external user who also hit mab rule

The profiling method is DHCP.
I checked on Cisco ise which also has option of AD fingerprinting to get domain attribute .just checking if possible in cppm

Based on the number of related questions lately, I would highly recommend you work with a partner on your deployment.

Hi Tim, we are in initial stage of discussion with customer.customer is more inclined to cppm than ise but has few requirement. We will work with partner definitely once we start poc . And having domain attribute or fqdn in access tracker or endpoint profiler is one requirement and we are thinking how we achieve this for mab authenticate s laptops (guests)

One possible way to achieve this would be to update the endpoint in the endpoint database with an attribute that indicates AD membership. You could do that on a computer authentication, or if you control the TLS well enough on the TLS user authentication as well. When a MAC auth request comes in, you can return the service VLAN for those machines that have the attribute set, so they can sync from there to the AD/PKI, or even do a PXE boot to reimage the client.