cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

455
Views
1
Helpful
2
Replies
Highlighted
Beginner

Differentiated access on same machine with multiple logins

Hi,

My customer has this question on whether ISE can achieve differentiated access for different windows sessions on same machine. The scenario is that the normal user authenticates on his/her Windows machine and get access to the network according to his AD account. He requests for IT support and then IT admin logs him out and switch to his/her IT admin account. Is it possible to assign different access control for IT admin while the normal user session is still running?

It seems to me that we need a firewall to have session access policy based on user session, rather than ISE based on endpoint.

Any comment or suggestion?

Thanks, Tommy

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hi,

If you are referring to Fast User Switching on Windows machines then no , ISE does not support this as it cannot recognize a disconnect of previous user session.

-Danny

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Hi,

If you are referring to Fast User Switching on Windows machines then no , ISE does not support this as it cannot recognize a disconnect of previous user session.

-Danny

View solution in original post

Highlighted
Cisco Employee

As Danny mentioned Fast user switching is not supported. This is when user A is still logged in when user B uses Fast user switching to log in to the same machine.

However if the user A is logged off and user B logs in, you can provide differentiated access based on the user role of user B.

If you want a secure authentication you need 802.1x. There is also solution called easyconnect that makes configuration on switches easier, where you can use MAB for intial access to resources

and then ISE talks to AD and gets the user information and ties it to the session.

Here is more information on that.

https://communities.cisco.com/docs/DOC-68080

If you want to identify corporate asset as well as provide differentiated access then EAP- Chaining could be a way. You need Anyconnect client for this.

-Krishnan

Content for Community-Ad