Thanks for the reminder, the show notes will be posted shortly, in the mean time here are the configuration links I referred to: Easy Connect: http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200559-Configure-EasyConnect-on-ISE-2-1.html TC NAC with AMP: http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200550-Configure-ISE-2-1-Threat-Centric-NAC-TC.html TC NAC with Qualys: http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200548-Configure-ISE-2-1-Threat-Centric-NAC-TC.html ... View more

Noel, Patch 4 was just released a few hours ago with the fix for the open cursors purging issue.  If you continue to see the purge error after applying the patch please open a TAC case so the stuck purge processes can be manually cleared. --Jesse ... View more

They would only get the RSA prompt for token, on ACS 4.2 you can use RSA with an LDAP group mapping to achieve RSA authentication but still pass the desired DAL based on their LDAP mapping.  The username in RSA would have to be the same as the username in LDAP for this to work. --Jesse ... View more

A small clarification here about your statement:      "The PC will try machine authentication once it boots up. Once  is entered, the PC initiate 802.1x  authentication by sending     EAPOL start. The AP or switch should change  the state of the PC from authenticated to authenticating. Thus, the PC  should not get network     connectivity unless it passes user authentication  again. If you use a local account to logon to the PC, the PC should not  pass 802.1xauthentication.      At least, that's how Cisco equipment works."      This is not up to Cisco equipment, the AP has no idea the PC is switching between machine and user mode unless the supplicant on the PC restarts the authentication (via EAPOL-Start as you stated), this is wholey up to the supplicant installed on the PC.  So with this < 60 second window that is being seen here it is most likely due to slow load of the user space/desktop. An option to prevent this would be to use a supplicant that can start before login (such as the Cisco Secure Services Client) that way the user is authenticated before they have access to the desktop. --Jesse ... View more

Phillippe,      PEAP is supported through the APs which is most likely what you will use in a Microsoft environment.  This is covered under the Open-EAP heading. --Jesse ... View more

Jeremy,      When the user enters their username/password the supplicant switches to user authentication mode and should send an EAPoL start forcing an immediate re-authentication on the port, what supplicant are you using (if windows what service pack are you running on XP)?  There may be some settings you need to tweak and if the machine is slow to boot it may take some time for the supplicant to be ready.  If the user compromises the machine you have bigger issues though, with access to the machine the user can disable user login and force machine authentication only even in the user space.  You may want to considder going the EAP-TLS route that way if a user laptop is stollen the certificate can be revoked preventing the machine from gaining access to the network.   I guess this could also be accomplished by deleting the account from the domain.      Something else to considder would be to have a limited Machine Authentication VLAN and assign the user VLAN with the user authentication, this has implications on GPOs though as you are interrupting network access at the user login so you may need to delay those. --Jesse ... View more

Alex,      You can add as may Root CAs as you would like to the certificate profile under Users and Identity Stores -> Certifiacte Authorities.   ACS does not need to be assigned multiple identity certificates to support different certificates from clients. --Jesse ... View more

Jatin,      In order for ACS to authenticate two different forests you would need to have a Forest Trust between the two, you stated I believe that there is not forest trust so in your case you would not be able to authenticated to two as you can only have 1 external windows domain defined. --Jesse ... View more

There is no difference between a sponsor authentication request and an admin sponsor request so you are going to see the passed authentication on the ACS and depending on what service-type you pass to the NGS you will see a pass or failure.  That is the nature of Radius authorization. --Jesse ... View more

Duncan,      If you are going to do command authorization against ACS then you don't need to assign level 2, you will assign level 15 and then all commands are authorized against the ACS to determine if that user is allowed to run that command or not.  If you pass level 2 then only commands that are at level 2 or below will be shown to the user. --Jesse ... View more

Eric,      There are a couple of ways you can handle this but either way will work off of the calling-station-id, the WLC sets this to : , in ACS 4.2 you can either create CLI/DNIS Network Access Restrictions, say your guest SSID is named "guest" your NAR would look like this:       Check the box for Define CLI/DNIS-based access restrictions.       Set it to Permitted Calling/Point of Access Locations.       AAA Client: Set it to you Wireless Network Device or Wireless Network Device Group.       Port: Set it to *       CLI: Set it to *       DNIS: Set it to *:guest       You will also want to add your VPN concentrator as a Permitted device as well.       AAA Client: Set it to you VPN Network Device or VPN Network Device Group.       Port: Set it to *       CLI: Set it to *       DNIS: Set it to *      In ACS 5.2 you can do the same type of thing under Policy Elements -> Network Conditions -> End Staion Filters, you can create a CLI/DNIS filter settings DNIS to *:guest and you can use that end station filter in either a service selection or authorization policy by hitting the customize button on the bottom right of either of those pages and adding the end station filter to the selected column. --Jesse ... View more

Use NAS-Prompt (7) instead of Administrative (6) for sponsor users. --Jesse ... View more

Hello,      You can get more information about why it is cycling with (debug dot1x all, debug radius, debug authenticaion all, debug auth feature all).  Also ACS does not assign the phone to the voice vlan, that is going to happen as if the 802.1x was not enabled, this will be via CDP, LLDP, DHCP or Staticaly defined on the phone.  The attribute device-traffic-class=voice assigns the phone to the voice domain which is strictly an authentication manager designation. --Jesse ... View more

I just tried this here in my lab and you seem to have the authorization profile set up correctly for service-type administrative.  Are you seeing a passed authentication on your ACS for the login?  If so check the authetnication details and make sure you are passing back the correct authorization profile. --Jesse ... View more