https://community.cisco.com/t5/network-access-control/user-or-computer-authentication-option/m-p/5234078#M593649 <P>The following article explains how this works with traditional EAP methods.<BR /><A href="https://www.networkworld.com/article/940452/machine-authentication-and-user-authentication.html" target="_blank">https://www.networkworld.com/article/940452/machine-authentication-and-user-authentication.html</A></P> <P>I also describe and illustrate how this works with both traditional EAP methods and TEAP in my blog here.<BR /><A href="https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635#toc-hId-296059835" target="_blank">https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635#toc-hId-296059835</A></P> <P>&nbsp;</P> Mon, 09 Dec 2024 01:43:28 GMT Greg Gibbs 2024-12-09T01:43:28Z https://community.cisco.com/t5/network-access-control/user-or-computer-authentication-option/m-p/5233846#M593643 <P>Hi all;</P><P>As you know, there is several authentication scenarios in Windows native supplicant. One of them is "User or Authentication" option:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rezaalikhani_0-1733644808835.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/235427iB88E159EFB3D51A2/image-size/medium?v=v2&amp;px=400" role="button" title="rezaalikhani_0-1733644808835.png" alt="rezaalikhani_0-1733644808835.png" /></span></P><P>Based on the official documents, by selecting "<STRONG>User or Computer Authentication</STRONG>" option, Windows performs an 802.1X authentication with computer credentials before displaying the Windows logon screen. Windows performs another 802.1X authentication with user credentials after the user has logged on.</P><P>Based on the above statement, Microsoft should choose <STRONG>AND</STRONG> instead of <STRONG>OR</STRONG> for this option. Right?</P><P>Is there any scenario you know which forces the <STRONG>OR</STRONG> operation (the computer authentication or user authentication)?</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 08 Dec 2024 08:07:56 GMT https://community.cisco.com/t5/network-access-control/user-or-computer-authentication-option/m-p/5233846#M593643 rezaalikhani 2024-12-08T08:07:56Z https://community.cisco.com/t5/network-access-control/user-or-computer-authentication-option/m-p/5233851#M593644 <P>If I recall correctly, the addition of user authentication is tied to EAP chaining in which it is a logical AND.&nbsp;<BR /><BR /></P> <P>Edit: Re-reading my initial response didn’t answer your question at all. This appears to be a limitation of the OS rather than ISE which can be configured to accept in an AND/OR manner.&nbsp;</P> Sun, 08 Dec 2024 08:54:16 GMT https://community.cisco.com/t5/network-access-control/user-or-computer-authentication-option/m-p/5233851#M593644 stephan.l.martin1 2024-12-08T08:54:16Z https://community.cisco.com/t5/network-access-control/user-or-computer-authentication-option/m-p/5233866#M593645 <P>Short answer is No with native supplicant, but you have machine access restriction feature on ISE which basically caches your machine auth for the defined period of time, between this time only user authentication happens since previous machine auth is already cached, unless windows device goers thought a reboot or complete logout.<BR />There are some restriction, pros and cons that you can read <A href="https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html" target="_self">here</A></P> Sun, 08 Dec 2024 10:14:18 GMT https://community.cisco.com/t5/network-access-control/user-or-computer-authentication-option/m-p/5233866#M593645 Ambuj M 2024-12-08T10:14:18Z https://community.cisco.com/t5/network-access-control/user-or-computer-authentication-option/m-p/5234078#M593649 <P>The following article explains how this works with traditional EAP methods.<BR /><A href="https://www.networkworld.com/article/940452/machine-authentication-and-user-authentication.html" target="_blank">https://www.networkworld.com/article/940452/machine-authentication-and-user-authentication.html</A></P> <P>I also describe and illustrate how this works with both traditional EAP methods and TEAP in my blog here.<BR /><A href="https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635#toc-hId-296059835" target="_blank">https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635#toc-hId-296059835</A></P> <P>&nbsp;</P> Mon, 09 Dec 2024 01:43:28 GMT https://community.cisco.com/t5/network-access-control/user-or-computer-authentication-option/m-p/5234078#M593649 Greg Gibbs 2024-12-09T01:43:28Z https://community.cisco.com/t5/network-access-control/user-or-computer-authentication-option/m-p/5234139#M593652 <P>Exactly useful for me. Thank you...</P> Mon, 09 Dec 2024 06:05:51 GMT https://community.cisco.com/t5/network-access-control/user-or-computer-authentication-option/m-p/5234139#M593652 rezaalikhani 2024-12-09T06:05:51Z