https://community.cisco.com/t5/network-access-control/differentiated-access-on-same-machine-with-multiple-logins/m-p/3449774#M535532 <HTML><HEAD></HEAD><BODY><P>As Danny mentioned Fast user switching is not supported. This is when user A is still logged in when user B uses Fast user switching to log in to the same machine.</P><P>However if the user A is logged off and user B logs in, you can provide differentiated access based on the user role of user B.</P><P></P><P>If you want a secure authentication you need 802.1x. There is also solution called easyconnect that makes configuration on switches easier, where you can use MAB for intial access to resources</P><P>and then ISE talks to AD and gets the user information and ties it to the session.</P><P>Here is more information on that.</P><P>https://communities.cisco.com/docs/DOC-68080</P><P>If you want to identify corporate asset as well as provide differentiated access then EAP- Chaining could be a way. You need Anyconnect client for this.</P><P></P><P>-Krishnan</P></BODY></HTML> Tue, 27 Jun 2017 06:09:39 GMT kthiruve 2017-06-27T06:09:39Z https://community.cisco.com/t5/network-access-control/differentiated-access-on-same-machine-with-multiple-logins/m-p/3449772#M535530 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>My customer has this question on whether ISE can achieve differentiated access for different windows sessions on same machine. The scenario is that the normal user authenticates on his/her Windows machine and get access to the network according to his AD account. He requests for IT support and then IT admin logs him out and switch to his/her IT admin account. Is it possible to assign different access control for IT admin while the normal user session is still running?</P><P>It seems to me that we need a firewall to have session access policy based on user session, rather than ISE based on endpoint.</P><P>Any comment or suggestion?</P><P>Thanks, Tommy </P></BODY></HTML> Tue, 27 Jun 2017 05:20:59 GMT https://community.cisco.com/t5/network-access-control/differentiated-access-on-same-machine-with-multiple-logins/m-p/3449772#M535530 Tze Tai Mak 2017-06-27T05:20:59Z https://community.cisco.com/t5/network-access-control/differentiated-access-on-same-machine-with-multiple-logins/m-p/3449773#M535531 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>If you are referring to Fast User Switching on Windows machines then no , ISE does not support this as it cannot recognize a disconnect of previous user session.</P><P></P><P>-Danny</P></BODY></HTML> Tue, 27 Jun 2017 05:40:52 GMT https://community.cisco.com/t5/network-access-control/differentiated-access-on-same-machine-with-multiple-logins/m-p/3449773#M535531 ldanny 2017-06-27T05:40:52Z https://community.cisco.com/t5/network-access-control/differentiated-access-on-same-machine-with-multiple-logins/m-p/3449774#M535532 <HTML><HEAD></HEAD><BODY><P>As Danny mentioned Fast user switching is not supported. This is when user A is still logged in when user B uses Fast user switching to log in to the same machine.</P><P>However if the user A is logged off and user B logs in, you can provide differentiated access based on the user role of user B.</P><P></P><P>If you want a secure authentication you need 802.1x. There is also solution called easyconnect that makes configuration on switches easier, where you can use MAB for intial access to resources</P><P>and then ISE talks to AD and gets the user information and ties it to the session.</P><P>Here is more information on that.</P><P>https://communities.cisco.com/docs/DOC-68080</P><P>If you want to identify corporate asset as well as provide differentiated access then EAP- Chaining could be a way. You need Anyconnect client for this.</P><P></P><P>-Krishnan</P></BODY></HTML> Tue, 27 Jun 2017 06:09:39 GMT https://community.cisco.com/t5/network-access-control/differentiated-access-on-same-machine-with-multiple-logins/m-p/3449774#M535532 kthiruve 2017-06-27T06:09:39Z