Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
969
Views
0
Helpful
1
Replies

Assign SGT to multiple users on single VM

Go to solution
kerai08
Cisco Employee
Cisco Employee

‎07-05-2016 08:59 AM

Hi there,

Appreciate your guidance on the following:

Customer has a use case where 2 users may log into one VM at the same time - so concurrently logged in - and have asked whether it is possible to assign an SGT to each user.

If a single user was logged on, it isn't an issue because the VM has a single IP address which can be associated to that one user via the Nexus 1kv, for example. But as the VM has a single IP, how can we assign an SGT to each user?

Would ISE 2.1's new feature 'EasyConnect' be an option here?

Thanks!

Arron

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎07-05-2016 04:45 PM

The short answer is No, just as we cannot assign different VLANs or ACLs to a single MAC or IP address.  This is the same fundamental problem we have with users running VMware with NAT mode instead of Bridge mode - all VMs on the host computer just look like the host!

Typically when you have a multi-user device, if you still want Fast User Switching (FUS) and concurrent users then you'll need to go with a machine authentication only. Windows will not send an 802.1X even for FUS to detect a user change and we have no way to differentiate and enforce separate concurrent users given a single MAC or IP address.

I'd recommend machine authentication to the network with OS-level authentication for the users. If they still require enforcement they will need to alloate separate VMs per user or have the users do all work through web browsers where you can enforce user-level privileges/access at the application layer or via a WSA proxy/filter.

Easy Connect is a way to join an unauthenticated network session to an AD user login. Subsequent user logins to the same MAC/IP would change the authorization for the other user(s) on that same MAC/IP.

Cisco employees & Partners may refer to slides #411-413 of the ISE 2.1 Techtorial which covers Endpoint Sharing:

ISE 2.1 Techtorial - SEVT - Security - Video

ISE 2.1 Techtorial - SEVT - Security - PDF

View solution in original post

0 Helpful
1 Reply 1

Go to solution
thomas
Cisco Employee
Cisco Employee

‎07-05-2016 04:45 PM

The short answer is No, just as we cannot assign different VLANs or ACLs to a single MAC or IP address.  This is the same fundamental problem we have with users running VMware with NAT mode instead of Bridge mode - all VMs on the host computer just look like the host!

Typically when you have a multi-user device, if you still want Fast User Switching (FUS) and concurrent users then you'll need to go with a machine authentication only. Windows will not send an 802.1X even for FUS to detect a user change and we have no way to differentiate and enforce separate concurrent users given a single MAC or IP address.

I'd recommend machine authentication to the network with OS-level authentication for the users. If they still require enforcement they will need to alloate separate VMs per user or have the users do all work through web browsers where you can enforce user-level privileges/access at the application layer or via a WSA proxy/filter.

Easy Connect is a way to join an unauthenticated network session to an AD user login. Subsequent user logins to the same MAC/IP would change the authorization for the other user(s) on that same MAC/IP.

Cisco employees & Partners may refer to slides #411-413 of the ISE 2.1 Techtorial which covers Endpoint Sharing:

ISE 2.1 Techtorial - SEVT - Security - Video

ISE 2.1 Techtorial - SEVT - Security - PDF

0 Helpful
Customers Also Viewed These Support Documents