Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
574
Views
0
Helpful
2
Replies

Fast User Switching (yes again)

paul
Level 10
Level 10

‎09-03-2019 12:10 PM

I know this has been covered in other posts, but those posts are several years old.  I want to see if anything has changed in recent years.  I know NAM still doesn't support fast user switching and I don't believe the Windows supplicant does either.  The first user that logged in will remain the Dot1x credentials no matter how many others log in. 

 

I have tested with AC 4.7 NAM and see this to be true.  If the first user logs out, NAM will fall back to computer auth.  When one of the other logged in users provide their credentials during a fast user switch NAM will switch to that user's identity.

 

I have two questions:

 

  1. Is there any way to handle this on the supplicant side so the network is away of the fast user switch and can apply different policies to the active user?  I am pretty sure the answer is no.
  2. Is there any way at the FTD firewall to keep track of the active user on a fast user switching device.  In the active path the answer is no, because the supplicant is going to be stuck on the first user.  If we do passive ID the last entry in the security event logs on the DC will be the last logged in user.  So I don't think there is a solution here either.  The only multi-user support I know of is the TS agent and that plays games with source ports to make it work.  I don't know of anything on the client side that would help with identity on the FTD FW in a fast user switching scenario.  Am I missing something here?

Thanks for the help.

0 Helpful
2 Replies 2

kthiruve
Cisco Employee
Cisco Employee

‎09-04-2019 02:55 PM

Paul,

 

True.

Have you tried Easyconnect with machine auth/MAB + AD login for fast switching. Havent tried it myself. If you have posture on top of it with a registry check or other checks, you can do a CoA. All of this are long shots.

When I looked up Fastswitching, seems like applications can track the fastswitching change on a windows call.

https://docs.microsoft.com/en-us/windows/win32/shell/fast-user-switching

 

Not sure if there is an event sent to AD. There is a group policy setting on this though.

 

-Krishnan

0 Helpful

paul
Level 10
Level 10
In response to kthiruve

‎09-04-2019 03:00 PM

I don't think passive ID will work as the domain controller serial logs would have something like this (obviously made up log format):

 

User1 logged in at IP 1.1.1.1

User2 logged in at IP 1.1.1.1

User3 logged in at IP 1.1.1.1

 

If passive ID is scrapping the security logs it will feed all that data to pxGrid and the pxGrid clients will deal with the info.  I believe they are simply going to replace previously learned data.  So the pxGrid clients would think User3 is associated with 1.1.1.1.

 

 

0 Helpful
Customers Also Viewed These Support Documents