06-26-2017 10:20 PM
Hi,
My customer has this question on whether ISE can achieve differentiated access for different windows sessions on same machine. The scenario is that the normal user authenticates on his/her Windows machine and get access to the network according to his AD account. He requests for IT support and then IT admin logs him out and switch to his/her IT admin account. Is it possible to assign different access control for IT admin while the normal user session is still running?
It seems to me that we need a firewall to have session access policy based on user session, rather than ISE based on endpoint.
Any comment or suggestion?
Thanks, Tommy
Solved! Go to Solution.
06-26-2017 10:40 PM
Hi,
If you are referring to Fast User Switching on Windows machines then no , ISE does not support this as it cannot recognize a disconnect of previous user session.
-Danny
06-26-2017 10:40 PM
Hi,
If you are referring to Fast User Switching on Windows machines then no , ISE does not support this as it cannot recognize a disconnect of previous user session.
-Danny
06-26-2017 11:09 PM
As Danny mentioned Fast user switching is not supported. This is when user A is still logged in when user B uses Fast user switching to log in to the same machine.
However if the user A is logged off and user B logs in, you can provide differentiated access based on the user role of user B.
If you want a secure authentication you need 802.1x. There is also solution called easyconnect that makes configuration on switches easier, where you can use MAB for intial access to resources
and then ISE talks to AD and gets the user information and ties it to the session.
Here is more information on that.
https://communities.cisco.com/docs/DOC-68080
If you want to identify corporate asset as well as provide differentiated access then EAP- Chaining could be a way. You need Anyconnect client for this.
-Krishnan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide