Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
571
Views
5
Helpful
3
Replies

User and Machine authentication resume from sleep

dan.letkeman
Level 4
Level 4

‎06-29-2017 03:18 PM - edited ‎03-11-2019 12:49 AM

Hello,

Wondering if anyone can share with me the authorization profile they use for when you need to do user and machine authentication using the native windows supplicant.  Currently have two policies, one that matches the AD group that the workstation is apart of, and a second policy that matches the usergroup that the user is apart of, as well as "Network Access:WasMachineAuthenticated = true".   This works well except when the machine resumes from sleep after an hour or two and tries to authenticate as the user.  At this point it fails as the policy doesn't match "Network Access:WasMachineAuthenticated" anymore.

I need to match based on the workstation first because this is the only way I can keep BYOD users off of the Corporate SSID.  Unless there is a different way?

Thanks,

Dan.

Labels:
0 Helpful
3 Replies 3

Massimo Baschieri
Level 3
Level 3

‎06-29-2017 09:58 PM

This is essentially due to the fact that windows hosts by default perform machine authentication at startup only, after a logout/login cycle it perform user authentication only, that's why you can experience those issues.

Ise can retain machine authentication attribute for as long time as you need in order to minimize the impact of the issue, you can find the option in advanced settings of your AD external identity source.

I've also seen that enabling SSO on windows supplicants it seems force windows hosts to perform machine authentication also after a logout/login cycle, but I don't know if this option has some side effect or security drowbacks.

dan.letkeman
Level 4
Level 4
In response to Massimo Baschieri

‎06-30-2017 05:35 AM

Massimo,

Thanks for the reply, I will look into the timeout settings.  Any other ideas on how to keep BYOD devices off of the corporate SSID short of using certificate based authentication?

I was thinking if there was a way to add a domain joined device to an endpoint group in ISE, then I could base the user authentication against the user and the endpoint group instead of using "wasmachineauthenticated"?

Dan.

0 Helpful

Massimo Baschieri
Level 3
Level 3
In response to dan.letkeman

‎06-30-2017 11:57 PM

Don't know Dan, in my mind in order to match an endpoint group you need the hosts to perform machine authentication, at that point you can easily use "wasmachineauthenticated" condition to keep non domain hosts out of corporate SSID.

0 Helpful
Customers Also Viewed These Support Documents