Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
493
Views
3
Helpful
4
Replies

User or Computer Authentication option...

Go to solution
rezaalikhani
VIP
VIP

‎12-08-2024 12:07 AM

Hi all;

As you know, there is several authentication scenarios in Windows native supplicant. One of them is "User or Authentication" option:

rezaalikhani_0-1733644808835.png

Based on the official documents, by selecting "User or Computer Authentication" option, Windows performs an 802.1X authentication with computer credentials before displaying the Windows logon screen. Windows performs another 802.1X authentication with user credentials after the user has logged on.

Based on the above statement, Microsoft should choose AND instead of OR for this option. Right?

Is there any scenario you know which forces the OR operation (the computer authentication or user authentication)?

Thanks

 

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎12-08-2024 05:43 PM

The following article explains how this works with traditional EAP methods.
https://www.networkworld.com/article/940452/machine-authentication-and-user-authentication.html

I also describe and illustrate how this works with both traditional EAP methods and TEAP in my blog here.
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635#toc-hId-296059835

 

View solution in original post

4 Replies 4

Go to solution
stephan.l.martin1
Level 1
Level 1

‎12-08-2024 12:46 AM - edited ‎12-08-2024 12:54 AM

If I recall correctly, the addition of user authentication is tied to EAP chaining in which it is a logical AND. 

Edit: Re-reading my initial response didn’t answer your question at all. This appears to be a limitation of the OS rather than ISE which can be configured to accept in an AND/OR manner. 

0 Helpful

Go to solution
ammahend
VIP Alumni
VIP Alumni

‎12-08-2024 02:12 AM - edited ‎12-08-2024 02:14 AM

Short answer is No with native supplicant, but you have machine access restriction feature on ISE which basically caches your machine auth for the defined period of time, between this time only user authentication happens since previous machine auth is already cached, unless windows device goers thought a reboot or complete logout.
There are some restriction, pros and cons that you can read here

-hope this helps-
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎12-08-2024 05:43 PM

The following article explains how this works with traditional EAP methods.
https://www.networkworld.com/article/940452/machine-authentication-and-user-authentication.html

I also describe and illustrate how this works with both traditional EAP methods and TEAP in my blog here.
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635#toc-hId-296059835

 

Go to solution
rezaalikhani
VIP
VIP
In response to Greg Gibbs

‎12-08-2024 10:05 PM

Exactly useful for me. Thank you...

0 Helpful
Customers Also Viewed These Support Documents
Top