https://community.cisco.com/t5/network-access-control/is-it-possible-to-do-machine-and-user-authentication-in-same/m-p/2256856#M132204 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND&nbsp;&nbsp;&nbsp; AD:exteranalgroup EQUAL Some_domain_user_group )</P><P></P><P>- Not possible</P><P></P><P>As user and machine authentication occur at different contexts.</P><P>ACS cannot verify the both at the same time.</P><P>Using MAR, you can, though club the both together and achieve:</P><P></P><P>"machine is part of domain and user is valid only then he should be able to have full access"</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978</A></P><P></P><P>Tips for configuring MAR:</P><P>1) Set the client to perform user or computer authentication.</P><P>2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).</P><P>3) Enable MAR under the AD configuration page on ACS and set the aging time.</P><P>4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.</P><P></P><P>Rate if useful <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P></BODY></HTML> Tue, 30 Apr 2013 10:22:33 GMT edwjames 2013-04-30T10:22:33Z https://community.cisco.com/t5/network-access-control/is-it-possible-to-do-machine-and-user-authentication-in-same/m-p/2256855#M132160 <P>Hi,</P><P>I want to know is it possible to do machine authenticaiton and user authentication happen at the same time? Some thing like this...</P><P></P><P>Condition</P><P>IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND&nbsp;&nbsp;&nbsp; AD:exteranalgroup EQUAL Some_domain_user_group )</P><P></P><P>Permissions</P><P>then Vlan x</P><P></P><P>Basically i am trying to check a machine is part of domain and user is valid only then he should be able to have full access.</P><P></P><P>Any help will be of great value.</P> Mon, 11 Mar 2019 03:22:36 GMT https://community.cisco.com/t5/network-access-control/is-it-possible-to-do-machine-and-user-authentication-in-same/m-p/2256855#M132160 nrafia 2019-03-11T03:22:36Z https://community.cisco.com/t5/network-access-control/is-it-possible-to-do-machine-and-user-authentication-in-same/m-p/2256856#M132204 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND&nbsp;&nbsp;&nbsp; AD:exteranalgroup EQUAL Some_domain_user_group )</P><P></P><P>- Not possible</P><P></P><P>As user and machine authentication occur at different contexts.</P><P>ACS cannot verify the both at the same time.</P><P>Using MAR, you can, though club the both together and achieve:</P><P></P><P>"machine is part of domain and user is valid only then he should be able to have full access"</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978</A></P><P></P><P>Tips for configuring MAR:</P><P>1) Set the client to perform user or computer authentication.</P><P>2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).</P><P>3) Enable MAR under the AD configuration page on ACS and set the aging time.</P><P>4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.</P><P></P><P>Rate if useful <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P></BODY></HTML> Tue, 30 Apr 2013 10:22:33 GMT https://community.cisco.com/t5/network-access-control/is-it-possible-to-do-machine-and-user-authentication-in-same/m-p/2256856#M132204 edwjames 2013-04-30T10:22:33Z https://community.cisco.com/t5/network-access-control/is-it-possible-to-do-machine-and-user-authentication-in-same/m-p/2256857#M132239 <HTML><HEAD></HEAD><BODY><P> It was extremely helpful.</P><P></P><P>Thanks and rated.</P></BODY></HTML> Tue, 30 Apr 2013 11:21:56 GMT https://community.cisco.com/t5/network-access-control/is-it-possible-to-do-machine-and-user-authentication-in-same/m-p/2256857#M132239 nrafia 2013-04-30T11:21:56Z