Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
155
Views
0
Helpful
2
Replies

Best practice for authentication policies for wired workstations

dropped_packetz
Level 1
Level 1

‎05-09-2025 12:59 PM

I am trying to get a better grasp on how these should be properly setup because I feel our current config is not.   We use NAM (will move to Windows Native/TEAP in the future) with EAP-FAST/EAP-TLS and EAP-Chaining.  Currently, our top two Authorization Policies on our Enforcement Policy Set are:
1. user and machine both succeeded
then
2. user failed and machine succeeded

Both of these are pointing to the same TrustedComputer authorization profile with full access.  We are having an issue where if a new user logs onto a workstation they have never logged onto before (thus not having a user cert on the workstation) the workstation is authenticating and getting blocked before the workstation has a chance to retrieve a user cert from our CA server.   From what I am reading, this is due to these policies both point to the same authorization policy and I need to make the "user failed and machine succeeded" a separate authorization policy with a limited access DACL and a Session-Timeout, so that it will initiate a CoA after the workstation has a chance to acquire a user cert and then should get full access on the "user and machine succeeded" policy after the Session-Timeout.   All that makes sense and is pretty straight forward, but I am also working on a DACL for workstations that are not even authenticating with a machine cert and/or NAM is not working right or many not installed at all.   In essence, both of those situations seem they need access to almost all the same services to get fully authenticated.   Only difference I can see is the authorization policy for workstations that machine are failing or don't have NAM at all would also need access to a means of remote access so that our desktop support team can reach it and get NAM fixed on it.  So is it best practice to have a separate authorization policy for all the different scenarios (i.e. a)machine fail/no NAM - limited access DACL1, b)machine succeed and user fail - limited access DACL2, c) machine and user succeed - full access) or is it best to just make to make 2 separate ones and combine "machine fail/no NAM" and "user fail and machine succeed" into the same policy?   Also, what order should they be in from top down.  I have documentation saying machine only succeed should be above the full access policy, but I have seen screenshots on white papers that have the user and machine - full access policy above the machine only succeed policy.

Just trying to get some best practice guidance because I feel I inherited a mess with this ISE environment.

0 Helpful
2 Replies 2

M02@rt37
VIP
VIP

‎05-09-2025 01:24 PM

Hello @dropped_packetz 

You should avoid combining "machine succeeded, user failed" with "machine failed/user failed" into the same authorization profile. Though their network requirements may overlap somewhat, they represent different states of trust and need to be tracked and remediated differently.

This separation is also crucial for audit, security policy enforcemet, and troubleshooting.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

dropped_packetz
Level 1
Level 1
In response to M02@rt37

‎05-09-2025 02:16 PM

OK, so then I do need to have three separate Authorization Policies going to 3 different Authorization Profiles is what you are saying.  Correct? 

0 Helpful
Customers Also Viewed These Support Documents