cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Machine +User Auth for windows endpoint autheticating through ISE

2520
Views
5
Helpful
2
Comments

 

 

Introduction:

This document discuss about machine + user end point authentication using ISE.

Problem:

Is there any way to use machine + user authentication  at same time when authenticating Windows machine through ISE.  In Windows native supplicant there is option as

1) Machine OR user Auth

2) User Authentication

3) Machine Authentication

4) Guest authentication

 

You want to give more privileged access to endpoints where they are joined to AD domain AND the user is logged in using AD credentials.

Is there any way to achieve this functionality.

 

Solution:

 

There is one way to achieve Machine+User authentication through ISE.

 

Prerequisites:  For windows 7 machine, please select “User or computer Authentication “ in authentication method ( Not applicable to Windows Xp)

 

You need to create two rules in Authorization policy as below

 

1st Rule  :     

 

iselabin.local:ExternalGroups==Domain  Computers

 

With the 1st rule , machine will get authorized access when machine boots up ( Before user enters his credentials)

 

2nd Rule:

 

Network Access:WasMachineAuthenticated ==True

 

                             AND

 

iselabin.local:ExternalGroups==Domain Users

 

User will enter credentials and he will get authorized access because of  2nd Rule.Please find attached screen shot

 

 

Machine+User.jpg

 

 

Reference:

1.) ISE release notes

2.) Anyconnect deployment

 

 

 

This document was generated from the following discussion: Machine +User Auth for windows endpoint authenticating through ISE

Comments

Thanks For this greatfull document , But i have an issues With My Wireless Employee Connexion (802.1X EAP connexion ) .

When user are on wired connexion and then come to wireless employee on XP or Seven the name of the machine is not automaticaly sent ti ISE in the 802.1x message. I Have to restart the machine to thave the machine name sent in the 802.1x Message .

Is this normal ? Is there any parameter to have the name of the machine sent auromaticaly on the wireless!!!!

Thanks for the support

Beginner

Hi Boris,

Thanks for the appreciation for the document. Regarding the problem you are facing you can open a discussion where you can get help easily. I will also look for your querry.

Regards,

Anim Saxena

Technical Community Manager: Network Security