My customer has this question on whether ISE can achieve differentiated access for different windows sessions on same machine. The scenario is that the normal user authenticates on his/her Windows machine and get access to the network according to his AD account. He requests for IT support and then IT admin logs him out and switch to his/her IT admin account. Is it possible to assign different access control for IT admin while the normal user session is still running?
It seems to me that we need a firewall to have session access policy based on user session, rather than ISE based on endpoint.