We are running Cisco ISE 220.127.116.117 patch 6. In my ISE policy set I have the following rule options (all give the same access for now) Machine and User Cert Machine only Cert User only Cert User AD only Machine in AD only We are using the native Windows supplicant configured for Machine or User This has worked well up until the Windows 10 roll out and the introduction of the Windows Self Service Password recovery option. For those of you who do not know when your laptop is locked you can click this option and it spins up a temporary profile on the Windows machine to process the password reset option. Unfortunately if the client is using 802.1x wireless it will not work. The user gets a message saying that the internet is required. What we have seen is once that temporary profile is spun up the laptop no looses it's IP address. I do not see anything in the event live logs to even see this client attempting to connect in this state. If we change the windows supplicant to Machine only then we do not experience this issue it works as the client support team expects. In addition if the machine is in a locked state and user 2 comes to log into the device we see the same behavior. Has any one else encountered this and is there a way around this with out lowering our security posture to machine only authentication?
... View more
We are using a Meraki Wireless network, we have rolled out ISE to authenticate the users. We have a tired structure if the machine and user cert are on then the user has full access. If they only have valid AD credentials they get a BYOD type access. What we are experiencing are devices that connect with full access and then randomly throughout the day re-auth as only BYOD. When the machine first boots it validates the machine and user cert, throughout the day when it re-auths it is only able to see the user so it gives the lower access.
... View more