topic Re: Cisco ISE Windows User Switch Account in Network Access Control

Cisco ISE Windows User Switch Account

saxenanitesh8522 — Wed, 07 Feb 2018 14:42:17 GMT

Hi Guy's

we are doing a machine and user authentication using a native client. which is working but there is a small issue that.

When we are doing log off and log in it works properly. But when the user does switch account the ise doesn't authenticate.

Is it possible to do this way? that we can a switch acocunt and have user and machine both authenticated.

we have put a condition in the user checking was machine authenticated but it doesn't work with switch account in windows.

Can anyone help on this.

Re: Cisco ISE Windows User Switch Account

Jason Kunst — Wed, 07 Feb 2018 15:06:07 GMT

The window supplicant is not able to send Machine authentication in the user-space. This is a known weakness in its capabilities

You should look into eap chaining with AnyConnect NAM If requiring to tie machine and user auth together

Also request that The customer request that Microsoft adopt the TEAP standards

Re: Cisco ISE Windows User Switch Account

Jason Kunst — Wed, 07 Feb 2018 15:07:19 GMT

Also note there is information out there already posted about trusted machine and trusted user scenarios

Re: Cisco ISE Windows User Switch Account

saxenanitesh8522 — Wed, 07 Feb 2018 15:10:31 GMT

Dear Jason,

This is a current deployment using native deployment and the customer is not interested in using the client.

So intially he was ok with the solution but now he is requesting this feature of switch user option.

it work's if we are doing only user authentication but when we are doing computer or user authentication, it keep's failing.

is there no way to do this? as the machine is already authenticated but the its a new user who is logging on the machine can't it use its MAR's do the same??

Re: Cisco ISE Windows User Switch Account

saxenanitesh8522 — Wed, 07 Feb 2018 15:12:59 GMT

Do you have links or something who have done a this kind of scenario?

Re: Cisco ISE Windows User Switch Account

Jason Kunst — Wed, 07 Feb 2018 15:46:52 GMT

Sorry I was incorrect about NAM being a solution for this. NAM EAP chaining is used when usually switching media state (example wired to wireless and wanting to present the machine and user auth in the user space).

a google search of teap eap chaining will give you some good articles

The problem is that microsoft doesn't switch user on dot1x when using fast user switching. Its tied to the original login.

The way around it would to either log the user off or do user auth only

Think about security in this. Do you want to login to a machine with someone else stuff running in the background? What about accountability in this state? userX has something bad running but I am logged in as UserY.

Re: Cisco ISE Windows User Switch Account

Craig Hyps — Thu, 08 Feb 2018 15:31:52 GMT

It would be necessary to have user logout of Windows and log back in with another account. As Jason explained, there is no explicit AD logoff event or EAP logoff with Fast User Switching (FUS). I recommend reaching out to Cisco account and requesting they submit enhancement to Tal Surasky (Cisco PM) on behalf of your company (or your customer) to support FUS. There are technical ways where this scenario may be addressed, but would require code enhancements.

/Craig