Solved: Re: Cisco ISE with Trustsec for Multiple Windows Session

Kevin Raditheo · ‎09-15-2017

Hi all,

Currently I have PoV in my customer with a use case where they want to secure multiple user session from single Windows Host PC.

So it basically like this:

They have Host PC where the actual Windows is installed
Then they have some sort of thin client to make RDP session to this Host PC.
One Host PC can be RDP by more than one client using some sort of software. So it will be like having multiple user login in Windows. the difference is all the user can use simultaneously.
The goal is to separate access from multiple user logging in to a same Host PC using ISE. Because sometime different user with different access permission connecting to a single Host PC.

Anyone have idea or experience how to achieve this?

Maybe with implement Trustsec SGT can achieve this?

I tried to use multi-auth in switch port, but failed. only the first user have to authenticate, the rest will be automatically authenticated.

Any idea will help.

Thank you in advanced.

Regards,

Kevin

Jason Kunst · ‎09-15-2017

You're saying that at one time on same operating system multiple people will be logged in?

No there is no way for the client to do this

The client would have to provide a Dot1x session for each user that logs in so that we can authenticate and provide different access permissions (Tag)

View solution in original post

Charlie Moreton · ‎09-15-2017

I tried to use multi-auth in switch port, but failed. only the first user have to authenticate, the rest will be automatically authenticated.

This is a limitation of RDP. Microsoft has no plans (publicly) to change this.

Jason Kunst · ‎09-15-2017

You're saying that at one time on same operating system multiple people will be logged in?

No there is no way for the client to do this

The client would have to provide a Dot1x session for each user that logs in so that we can authenticate and provide different access permissions (Tag)

Kevin Raditheo · ‎09-17-2017

Hi Jason,

So you're saying that there's no way to authenticate each user that log in from same windows OS at the same time?

hslai · ‎09-17-2017

Correct. 802.1X is for the endpoint client device as a whole. Thus, either allow one user login at a time, or authenticate computer instead of user.

Kevin Raditheo · ‎09-17-2017

Hi hslai,

You say that authenticate computer instead, is it mean machine authentication? Can this be use to authenticate multiple user login?

hslai · ‎09-17-2017

The computer auth is on the 802.1X supplicant level for network access. RDP user login will be done by the regular Windows remote terminal access, either local or by Active Directory.

Kevin Raditheo · ‎09-18-2017

So it means, for the time being, there's no way to authenticate multiple users that are login to a single windows, even with Trustsec SGT solution? I just need to clarified that so I can move to alternative solution to secure the environment with ISE.

hslai · ‎09-18-2017

That is correct.