cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

169
Views
1
Helpful
3
Replies
Highlighted
Cisco Employee

Avoid username password prompt everytime a workstation unplugs/plugs

I have a customer who is using 2FA for wired dot1x.

Their requirement is to not prompt the machine for username/credentials everytime the machine unplugs and plugs for 8 hours.

The user comes int the morning and enters its username and 2FA and then can seamlessly move around for next 8 hours.

Any thoughts on if and how that can be achieved ?

Maybe if we can dump authenticated machines hitting various authorization rules into identity groups the first time they authenticate and then purge them at the end of the day.

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Avoid username password prompt everytime a workstation unplugs/plugs

With username/password you can cache credentials in the supplicant so you do not need to re-type them with every new authentication. I'm not aware of how you can cache a token. You have chosen a very secure authentication method - welcome to the side effect! Suggest you consider certificates which can be automatically presented as Jason suggested.

Letting an endpoint on for a set time (8 hours) is usually only done with Guests where the consequences of a MAC spoof would be fairly inconsequential.

3 REPLIES 3
Cisco Employee

Re: Avoid username password prompt everytime a workstation unplugs/plugs

What about machine cert plus cached user cert or creds?

Or machine cert plus CWA flow or using CWA with 2FA perhaps? Not sure if possible but endpoint could be registered to a endpoint group for day perhaps.

Cisco Employee

Re: Avoid username password prompt everytime a workstation unplugs/plugs

With username/password you can cache credentials in the supplicant so you do not need to re-type them with every new authentication. I'm not aware of how you can cache a token. You have chosen a very secure authentication method - welcome to the side effect! Suggest you consider certificates which can be automatically presented as Jason suggested.

Letting an endpoint on for a set time (8 hours) is usually only done with Guests where the consequences of a MAC spoof would be fairly inconsequential.

Cisco Employee

Re: Avoid username password prompt everytime a workstation unplugs/plugs

Thanks Jason and Thomas for your inputs

Jason, I already discussed possibility of using CWA but customer does not want to add another flow. Besides MAC spoofing is a big risk.

Thomas I did discuss the same thing with customer that they will have to make a trade off between security and user experience. They have very strict instructions from their management to only use 2FA for NAC.