Hi Marvin,

Good Day!

Thanks for the link. May I ask how does the ISE check if the computer is joined? I only know how to authenticate user which is based of course in the AD.

Also, based on the Cisco documentation I should EAP-FAST as the EAP protocol however, my client is now using EAP-TLS, is that possible for EAP-Chaining? And lastly, my client don't want to use AnyConnect NAM is that possible?

Thanks for the great help.

Cheers,

Niks

You're welcome.

EAP Chaining (to check both machine and user authentication) does require EAP-FAST as the outer method and the AnyConnect NAM module. You can't do it with native supplicants. That's one of the value propositions of using the AnyConnect NAM.

When the machine authentication is attempted, ISE will look it up in the configured identity store (e.g., AD) and verify the machine exists as a joined computer.

Hi Marvin,

Good day!

I was able to find a solutiom for not using AnyConnect NAM by just checking the AD group domain computers however, I need to logoff and login again in my computer for that policy to hit. 

I'm not sure what did I miss, please help.

Thanks

You can achieve machine and user authentication  using policy like following but has several restrictions..EAP-chaninng is the best way to do it

Hi Marvin,

Good Day!

I tried the solution for the machine authentication without using AnyConnect NAM however, I still need to logoff and logon again in my laptop for my policy to be hit. 

May I know if I will use AnyConnect NAM with EAP-Chaining for machine + user authentication, do the procedure of logging-off and logging-in again in laptop still needed?

Thanks again for the help Marvin!

Cheers,

Niks,

Niks,

Normally "There is usually no need to re-authenticate a previously authenticated endpoint that remains connected to the network. After a successful 802.1X authentication, the port remains open until the session is terminated, most typically by a physical link-down event. Because physical connectivity is continuously maintained, the authenticated endpoint remains connected to the port. Under these circumstances, re-interrogating endpoint credentials serves no purpose."

Source.

You can force a reauthentication from ISE or set the switch port to periodically reauthenticate (not recommended per the above design guide but the command to do so is "authentication periodic" which will force reauthentication once an hour and you can tweak the period with "authentication timer reauthenticate"), disconnect and reconnect the port, or - as you noted - logoff and logon to trigger a reauthentication

Hi Marvin,

Good Day!

Does this apply also to a WLAN setup? As of now, we tried machine + user authentication using native supplicant of Windows however, we need to logoff and login again from the laptop/computer so that the policy for the machine authentication will get hit.

Now, we will try to use the AnyConnect NAM as you suggested before, will this solution still needs to logoff and login from the computer for the machine authentication to hit in the policy?

Thanks,

niks

So, using Anyconnect will we have the same condition of user needing to logoff or rebooting the machine?