topic Re: BYOD Windows Non-Admin User in Network Access Control

BYOD Windows Non-Admin User

omadrile — Tue, 14 Aug 2018 13:49:39 GMT

Hi team,

Just as a sanity check, consider the scenario where we have multiple users (both admin and non-admin) in Windows running on the same machine. If a non-admin user runs the browser as an admin and follows the BYOD flow, is it possible for the non-admin user to install the BYOD cert?

Also, if an admin user (after having completed the BYOD flow) authenticates against ISE using the cert, and then using fast user switching a non-admin user logs in (without sending any EAPOL logoff message). Will the non-admin user be able to reuse the existing authenticated session from the admin user?

Thanks,

Oriol

Re: BYOD Windows Non-Admin User

howon — Tue, 14 Aug 2018 14:03:03 GMT

Non-admin user won't be able to complete the BYOD flow as it requires running executable and also access to the certificate store. In the fas-user-switching, yes what you describe is correct, since the first user did not log off, from the network perspective, the first user is still logged in.

Re: BYOD Windows Non-Admin User

Jason Kunst — Tue, 14 Aug 2018 14:33:19 GMT

It’s not recommended to use BYOD with shared machines

The whole point of the feature is really to onboard devices used by a single person. Register a device to a person. Otherwise you have the same Mac flipping between different ownership as a portal user id. This maybe even introduces issues as haven’t tried

Would recommend looking into deploying one (perhaps a machine cert) for identifying the machine and then rely upon user credentials such as CWA chaining as an example

Or using a certificate management platform such as sccm or gpo push out user certainty and manage that way