https://community.cisco.com/t5/network-access-control/machine-authentication-vs-posture-assesment/m-p/5330146#M598175 <P>In addition to what&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;mentioned, using machine certificate authentication is a secure way to ensure that the machine belongs to your corporate. Although you might run similar checks via posture assessment, however, the big difference between the two that I see is that impersonating or stealing the machine certificate is less likely to happen. On the other side replicating the conditions you have on the posture assessment checks could potentially be something easy to achieve.</P> Mon, 15 Sep 2025 10:39:39 GMT Aref Alsouqi 2025-09-15T10:39:39Z https://community.cisco.com/t5/network-access-control/machine-authentication-vs-posture-assesment/m-p/5330085#M598168 <P><SPAN><STRONG>Hi All,</STRONG></SPAN></P><P><SPAN>I have been looking into the exact difference between machine authentication and posture assessment. If I perform a posture assessment on a machine before it joins the network—such as checking whether it is a corporate device, AD domain-joined, or passes other health checks—what is the benefit of also having machine authentication?</SPAN></P><P><SPAN>Thanks</SPAN></P> Mon, 15 Sep 2025 07:25:07 GMT https://community.cisco.com/t5/network-access-control/machine-authentication-vs-posture-assesment/m-p/5330085#M598168 henokk60 2025-09-15T07:25:07Z https://community.cisco.com/t5/network-access-control/machine-authentication-vs-posture-assesment/m-p/5330086#M598169 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1753581">@henokk60</a>&nbsp;machine authentication, checks the machine credentials (AD computer account or certificate) is valid. Posture assessment checks the computer is compliant with posture policy, i.e., is Anti-Virus/Malware installed and up to date or are Windows patches installed or registry checks etc. Posture assessment is run for logged in users, not during machine authentication.</P> <P>The benefit of running machine authentication is machine group policies can be applied or any pre-user login tasks.</P> <P>Using TEAP (machine and user authentication) is now good enough to confirm a corporate device without necessarily running posture assessment.</P> Mon, 15 Sep 2025 07:34:26 GMT https://community.cisco.com/t5/network-access-control/machine-authentication-vs-posture-assesment/m-p/5330086#M598169 Rob Ingram 2025-09-15T07:34:26Z https://community.cisco.com/t5/network-access-control/machine-authentication-vs-posture-assesment/m-p/5330094#M598170 <P>Answer for your Q</P> <P>AD join as posture compliant is not available as I know.</P> <P>So only way to check machine with AD is use machine authc.</P> <P>MHM</P> Mon, 15 Sep 2025 07:59:50 GMT https://community.cisco.com/t5/network-access-control/machine-authentication-vs-posture-assesment/m-p/5330094#M598170 MHM Cisco World 2025-09-15T07:59:50Z https://community.cisco.com/t5/network-access-control/machine-authentication-vs-posture-assesment/m-p/5330133#M598173 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a>&nbsp;Yes you can do that by using the <EM><STRONG>registry condition list</STRONG></EM> to check for specific domain and we already achieve that.</P> Mon, 15 Sep 2025 09:25:41 GMT https://community.cisco.com/t5/network-access-control/machine-authentication-vs-posture-assesment/m-p/5330133#M598173 henokk60 2025-09-15T09:25:41Z https://community.cisco.com/t5/network-access-control/machine-authentication-vs-posture-assesment/m-p/5330146#M598175 <P>In addition to what&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;mentioned, using machine certificate authentication is a secure way to ensure that the machine belongs to your corporate. Although you might run similar checks via posture assessment, however, the big difference between the two that I see is that impersonating or stealing the machine certificate is less likely to happen. On the other side replicating the conditions you have on the posture assessment checks could potentially be something easy to achieve.</P> Mon, 15 Sep 2025 10:39:39 GMT https://community.cisco.com/t5/network-access-control/machine-authentication-vs-posture-assesment/m-p/5330146#M598175 Aref Alsouqi 2025-09-15T10:39:39Z https://community.cisco.com/t5/network-access-control/machine-authentication-vs-posture-assesment/m-p/5330147#M598176 <P>Register not meaning that device connect AD to check if it valid or not</P> <P>MHM</P> Mon, 15 Sep 2025 10:41:28 GMT https://community.cisco.com/t5/network-access-control/machine-authentication-vs-posture-assesment/m-p/5330147#M598176 MHM Cisco World 2025-09-15T10:41:28Z