https://community.cisco.com/t5/network-access-control/avoid-username-password-prompt-everytime-a-workstation-unplugs/m-p/3596152#M496917 <HTML><HEAD></HEAD><BODY><P>With username/password you can cache credentials in the supplicant so you do not need to re-type them with every new authentication. I'm not aware of how you can cache a token. You have chosen a very secure authentication method - welcome to the side effect! Suggest you consider certificates which can be automatically presented as Jason suggested.</P><P></P><P>Letting an endpoint on for a set time (8 hours) is usually only done with Guests where the consequences of a MAC spoof would be fairly inconsequential. </P></BODY></HTML> Wed, 20 Jun 2018 21:54:24 GMT thomas 2018-06-20T21:54:24Z https://community.cisco.com/t5/network-access-control/avoid-username-password-prompt-everytime-a-workstation-unplugs/m-p/3596150#M496915 <HTML><HEAD></HEAD><BODY><P>I have a customer who is using 2FA for wired dot1x.</P><P>Their requirement is to not prompt the machine for username/credentials everytime the machine unplugs and plugs for 8 hours.</P><P>The user comes int the morning and enters its username and 2FA and then can seamlessly move around for next 8 hours.</P><P>Any thoughts on if and how that can be achieved ?</P><P></P><P>Maybe if we can dump authenticated machines hitting various authorization rules into identity groups the first time they authenticate and then purge them at the end of the day.</P></BODY></HTML> Mon, 18 Jun 2018 15:20:43 GMT https://community.cisco.com/t5/network-access-control/avoid-username-password-prompt-everytime-a-workstation-unplugs/m-p/3596150#M496915 umahar 2018-06-18T15:20:43Z https://community.cisco.com/t5/network-access-control/avoid-username-password-prompt-everytime-a-workstation-unplugs/m-p/3596151#M496916 <HTML><HEAD></HEAD><BODY><P>What about machine cert plus cached user cert or creds?</P><P></P><P>Or machine cert plus CWA flow or using CWA with 2FA perhaps? Not sure if possible but endpoint could be registered to a endpoint group for day perhaps.</P></BODY></HTML> Tue, 19 Jun 2018 16:45:48 GMT https://community.cisco.com/t5/network-access-control/avoid-username-password-prompt-everytime-a-workstation-unplugs/m-p/3596151#M496916 Jason Kunst 2018-06-19T16:45:48Z https://community.cisco.com/t5/network-access-control/avoid-username-password-prompt-everytime-a-workstation-unplugs/m-p/3596152#M496917 <HTML><HEAD></HEAD><BODY><P>With username/password you can cache credentials in the supplicant so you do not need to re-type them with every new authentication. I'm not aware of how you can cache a token. You have chosen a very secure authentication method - welcome to the side effect! Suggest you consider certificates which can be automatically presented as Jason suggested.</P><P></P><P>Letting an endpoint on for a set time (8 hours) is usually only done with Guests where the consequences of a MAC spoof would be fairly inconsequential. </P></BODY></HTML> Wed, 20 Jun 2018 21:54:24 GMT https://community.cisco.com/t5/network-access-control/avoid-username-password-prompt-everytime-a-workstation-unplugs/m-p/3596152#M496917 thomas 2018-06-20T21:54:24Z https://community.cisco.com/t5/network-access-control/avoid-username-password-prompt-everytime-a-workstation-unplugs/m-p/3596153#M496918 <HTML><HEAD></HEAD><BODY><P>Thanks Jason and Thomas for your inputs</P><P></P><P>Jason, I already discussed possibility of using CWA but customer does not want to add another flow. Besides MAC spoofing is a big risk.</P><P></P><P>Thomas I did discuss the same thing with customer that they will have to make a trade off between security and user experience. They have very strict instructions from their management to only use 2FA for NAC. </P></BODY></HTML> Thu, 21 Jun 2018 14:26:39 GMT https://community.cisco.com/t5/network-access-control/avoid-username-password-prompt-everytime-a-workstation-unplugs/m-p/3596153#M496918 umahar 2018-06-21T14:26:39Z