cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
965
Views
1
Helpful
2
Replies

Differentiated access on same machine with multiple logins

Tze Tai Mak
Level 1
Level 1

Hi,

My customer has this question on whether ISE can achieve differentiated access for different windows sessions on same machine. The scenario is that the normal user authenticates on his/her Windows machine and get access to the network according to his AD account. He requests for IT support and then IT admin logs him out and switch to his/her IT admin account. Is it possible to assign different access control for IT admin while the normal user session is still running?

It seems to me that we need a firewall to have session access policy based on user session, rather than ISE based on endpoint.

Any comment or suggestion?

Thanks, Tommy

1 Accepted Solution

Accepted Solutions

ldanny
Cisco Employee
Cisco Employee

Hi,

If you are referring to Fast User Switching on Windows machines then no , ISE does not support this as it cannot recognize a disconnect of previous user session.

-Danny

View solution in original post

2 Replies 2

ldanny
Cisco Employee
Cisco Employee

Hi,

If you are referring to Fast User Switching on Windows machines then no , ISE does not support this as it cannot recognize a disconnect of previous user session.

-Danny

kthiruve
Cisco Employee
Cisco Employee

As Danny mentioned Fast user switching is not supported. This is when user A is still logged in when user B uses Fast user switching to log in to the same machine.

However if the user A is logged off and user B logs in, you can provide differentiated access based on the user role of user B.

If you want a secure authentication you need 802.1x. There is also solution called easyconnect that makes configuration on switches easier, where you can use MAB for intial access to resources

and then ISE talks to AD and gets the user information and ties it to the session.

Here is more information on that.

https://communities.cisco.com/docs/DOC-68080

If you want to identify corporate asset as well as provide differentiated access then EAP- Chaining could be a way. You need Anyconnect client for this.

-Krishnan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: