Solved: Re: ISE Authorization Flow

naoki_Japan · ‎09-27-2021

I watched vide to learn how install the combination of machine and user authentication (dot1x) using ISE and AD.

And there is one things I am wandering regarding authorization flow.

In that video, he created two authorization (for machine authentication and for user authentication).

I do not understand why more than one authorization flows are processed.

Rob Ingram · ‎09-27-2021

@naoki_Japan yes your understanding is correct, authorisation takes place separately, one for the computer and another for the user. As does authentication, the computer and user are also separately authenticated.

View solution in original post

Rob Ingram · ‎09-27-2021

Hi@naoki_Japan

The authorisation settings for the computer and the user are separate because different settings maybe applied. For example when the computer is booting up and is authenticated/authorised via ISE, you may wish to apply an DACL or SGT to limit the computer access to only AD Domain Controllers to authenticate and download group policies. When the user then connects, depending on their group membership you will likely apply a different DACL or SGT during the Authorisation process, granting full access to the network.

naoki_Japan · ‎09-27-2021

I think you are right. In the video, he set different conditions and policy (as you wrote).

In conclusion, only one authorization is processed at one time.

When PC is booting up, the computer authentication process takes place and

,when user logs in, the user authentication process does.

My understanding is right?

Rob Ingram · ‎09-27-2021

@naoki_Japan yes your understanding is correct, authorisation takes place separately, one for the computer and another for the user. As does authentication, the computer and user are also separately authenticated.

naoki_Japan · ‎09-27-2021

I appreciate your support!!!!