Hi Experts,

Currently facing an issue with machine authentication and user authentication.

I have a basic understanding of the authentication the whole process, and I am not using EAP-Chaining or TEAP, just simple MAR on ISE.

So my question is that once my computer with a wired plugin and before the user login to the windows, now I should have machine authentication. So if my authentication passed, let's say ISE just assigned me to a VLAN that I have access to the AD, so I got an IP address, is my understanding correct?

After I input my user credential and windows use my user credential to access the wired network, then I have another profile from ISE, my pc is assigned to another VLAN, during this time will my PC IP address refresh by itself? (Not like the posture module configuration that will have a VLAN detection feature haha)

The policy set I design is like:

1st Rule  :      

iselabin.local:ExternalGroups==Domain  Computers

With the 1st rule, the machine will get authorized access when the machine boots up ( Before the user enters his credentials)

2nd Rule:

Network Access:WasMachineAuthenticated ==True 

                             AND

iselabin.local:ExternalGroups==Domain Users

Thanks a lot in advance for the help and looking forward to any feedback!