Regular Contributor II

How to check for domain joined machine?

Hi Forum,


Great stuff here and always learning new things. 

I have a new question that I was thinking of, I want to ask how can I have clearpass check if a PC is domain joined or not so I can allow or limit access? and if this possible, what is the solution for MacOS?


Thanks in advance,

Regular Contributor II

Re: How to check for domain joined machine?

Actually, can I use this method?


and if so, what about MacOS? how do i check if a device is domain joined/company issued? without a pre-filled list of company issued devices from IT/logistics

Re: How to check for domain joined machine?

Couple of points, most domain joined Windows computers will process user AND machine authentication into ClearPass.  Using the tags/roles [User Authenticated] and [Machine Authenticated], you can then define that if BOTH exist, then send back the appropriate action/role/VLAN/etc...


For OS X, you can join them to the domain, or use an alternate method like:


1. Have a static host list for these MAC addresses

2. Add in an SQL auth source and use it as an Authorization source in the service to query the endpoint's MAC and if it exists, then take the same action like you would if Machine Auth were present

3. Use profiler and write a policy to say IF it's OS X AND some other attribute like Hostname CONTAINS <value>

4. Leverage MDM context IF you have one deployed for OS X

5. Create and tag these OSX machines with a custom attribute like "Corporate Owned" and then use the presence of that attribute to derive context

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
Regular Contributor II

Re: How to check for domain joined machine?

Thank You Seth,


I will test option number 4 and see if it works fine.


thanks again.

Search Airheads
Showing results for 
Search instead for 
Did you mean: