Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
656
Views
5
Helpful
3
Replies

Fast user swithing supported by ISE-PIC /ISE ?

Go to solution
Uggen
Cisco Employee
Cisco Employee

‎01-02-2020 05:52 AM

Hi,

 

I would like to know does ISE-PIC supports fast user switching . We know that AnyConnect does not but is it same for ISE/ISE-PIC?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-05-2020 07:24 AM

I suspect that the endpoint would end up with the permissions based on the last user that completed a new log in.

When user B logs in, a new login event would be generated in AD that PIC would read. PIC's not context aware that more than one user would still be logged in. This is because ISE PIC is just monitoring AD login events and nothing but a fresh log in has occurred.

A new log on event doesn't get, created in AD when user A "logs" back in to an existing session taking it from hypothetical user B. User A would have the network permissions of user B upon resuming.

The only way to force the correct flow is to disable fast user switching via gpo, or installing NAM which disables it locally.

View solution in original post

3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎01-05-2020 02:30 AM

To my knowledge there is no network event when a Windows fast user switch occurs. This means that the outside world (RADIUS servers) don’t know that this event has taken place. 
It’s probably best to rely on Machine authentication if you’re using a Windows supplicant. If you’re using AnyConnect then you can combine Machine and User auth. But that won’t solve the fast user switch issue

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-05-2020 07:24 AM

I suspect that the endpoint would end up with the permissions based on the last user that completed a new log in.

When user B logs in, a new login event would be generated in AD that PIC would read. PIC's not context aware that more than one user would still be logged in. This is because ISE PIC is just monitoring AD login events and nothing but a fresh log in has occurred.

A new log on event doesn't get, created in AD when user A "logs" back in to an existing session taking it from hypothetical user B. User A would have the network permissions of user B upon resuming.

The only way to force the correct flow is to disable fast user switching via gpo, or installing NAM which disables it locally.

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Damien Miller

‎01-05-2020 05:11 PM

Not sure what PIC has to do here but it doesn’t have anything to do with dot1x or supplicants
0 Helpful
Customers Also Viewed These Support Documents