- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2024 12:07 AM
Hi all;
As you know, there is several authentication scenarios in Windows native supplicant. One of them is "User or Authentication" option:
Based on the official documents, by selecting "User or Computer Authentication" option, Windows performs an 802.1X authentication with computer credentials before displaying the Windows logon screen. Windows performs another 802.1X authentication with user credentials after the user has logged on.
Based on the above statement, Microsoft should choose AND instead of OR for this option. Right?
Is there any scenario you know which forces the OR operation (the computer authentication or user authentication)?
Thanks
Solved! Go to Solution.
- Labels:
-
AAA
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2024 05:43 PM
The following article explains how this works with traditional EAP methods.
https://www.networkworld.com/article/940452/machine-authentication-and-user-authentication.html
I also describe and illustrate how this works with both traditional EAP methods and TEAP in my blog here.
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635#toc-hId-296059835
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2024 12:46 AM - edited 12-08-2024 12:54 AM
If I recall correctly, the addition of user authentication is tied to EAP chaining in which it is a logical AND.
Edit: Re-reading my initial response didn’t answer your question at all. This appears to be a limitation of the OS rather than ISE which can be configured to accept in an AND/OR manner.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2024 02:12 AM - edited 12-08-2024 02:14 AM
Short answer is No with native supplicant, but you have machine access restriction feature on ISE which basically caches your machine auth for the defined period of time, between this time only user authentication happens since previous machine auth is already cached, unless windows device goers thought a reboot or complete logout.
There are some restriction, pros and cons that you can read here

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2024 05:43 PM
The following article explains how this works with traditional EAP methods.
https://www.networkworld.com/article/940452/machine-authentication-and-user-authentication.html
I also describe and illustrate how this works with both traditional EAP methods and TEAP in my blog here.
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635#toc-hId-296059835
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2024 10:05 PM
Exactly useful for me. Thank you...
