Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
4078
Views
5
Helpful
2
Comments

Machine +User Auth for windows endpoint autheticating through ISE

Anim Saxena
Level 1
Level 1

‎11-12-2012 08:40 PM - edited ‎02-21-2020 09:58 PM

 

 

Introduction:

This document discuss about machine + user end point authentication using ISE.

Problem:

Is there any way to use machine + user authentication  at same time when authenticating Windows machine through ISE.  In Windows native supplicant there is option as

1) Machine OR user Auth

2) User Authentication

3) Machine Authentication

4) Guest authentication

 

You want to give more privileged access to endpoints where they are joined to AD domain AND the user is logged in using AD credentials.

Is there any way to achieve this functionality.

 

Solution:

 

There is one way to achieve Machine+User authentication through ISE.

 

Prerequisites:  For windows 7 machine, please select “User or computer Authentication “ in authentication method ( Not applicable to Windows Xp)

 

You need to create two rules in Authorization policy as below

 

1st Rule  :     

 

iselabin.local:ExternalGroups==Domain  Computers

 

With the 1st rule , machine will get authorized access when machine boots up ( Before user enters his credentials)

 

2nd Rule:

 

Network Access:WasMachineAuthenticated ==True

 

                             AND

 

iselabin.local:ExternalGroups==Domain Users

 

User will enter credentials and he will get authorized access because of  2nd Rule.Please find attached screen shot

 

 

Machine+User.jpg

 

 

Reference:

1.) ISE release notes

2.) Anyconnect deployment

 

 

 

This document was generated from the following discussion: Machine +User Auth for windows endpoint authenticating through ISE

Labels:
Comments
Boris Alban Cedric NZIMBOU KIMBEMBE
Level 1
Level 1
‎02-14-2013 07:31 AM

Thanks For this greatfull document , But i have an issues With My Wireless Employee Connexion (802.1X EAP connexion ) .

When user are on wired connexion and then come to wireless employee on XP or Seven the name of the machine is not automaticaly sent ti ISE in the 802.1x message. I Have to restart the machine to thave the machine name sent in the 802.1x Message .

Is this normal ? Is there any parameter to have the name of the machine sent auromaticaly on the wireless!!!!

Thanks for the support

Anim Saxena
Level 1
Level 1
‎02-18-2013 08:23 PM

Hi Boris,

Thanks for the appreciation for the document. Regarding the problem you are facing you can open a discussion where you can get help easily. I will also look for your querry.

Regards,

Anim Saxena

Technical Community Manager: Network Security

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents