Yeah, I get that.  What about using them both together.  So lets say that the macine authenticates so that it can download any machine policies from AD and then the user logs in and it re authenticates to the wireless.  Is there any value it that, or is it over complicating things.  Here are the scenerios.

1) We don't want users being able to use personal devices, so using user authentication is out.

2) we have some company devices that can't join a domain, like ipads, so user authentication is in...

I realize that I could create 2 seperate SSIDs for these situations... So maybe do one with machine authentication for the company AD devices and then user authenication for the non AD devices?

then there is the issue if the device is stolen, then what do we do?  They don't want a stolen device to be able to attach to the wireless network.  that is why I ask the question of using both user and machine authenication... but now that I think about it, we could just kill the stolen device out of AD or something and that should take care of it.

Besides, on Windows 7, there is an option to use User or machine authentication.  As I watch my radius logs, it looks like it does machine auth first and then reauthenticates using the user name.  Tying to determine if that has any benefit or not.

Well since you have both domain computers and no domain devices, then you are on the right track.  You shoul have two ssid's if you ask me, so that you can map the ssid for non-domain devices to a vlan you can filter better.  As for Windows 7 using User or Computer.... that means both.  You will need to have a user and computer certificate in order to choose this setting.  With certificates for user and computers, you can always revoke the certificate and remove the user from AD or the OU.  Even if you have User and Computer and the device gets stolen, well.... until you remove the computer or user, that device will be able to get on the network.  So it will be how fast the user tells you he or she has lost their laptop and how long it takes for them to remove the user or computer from AD.  WIndows 7 along with Vista does have a setting to allow the computer to access the network before the login prompt is presented to the user.

So really then, there isn't a whole lot of benefit of trying to force both user and machine authentication on the same SSID.  Is that right?  I would also think that if you allowed the machine have access by group, if its stolen, then you could just remove it from the group.  Plus, the thief would still need an AD acct which they may or may not have, depending on who it is.  But if its stolen and there is not a local profile on the machine and the machine is not on our network, they still wouldn't get on.  The danger is really only if the thief is an employee that may also have credentials or has stolen credentials.

Like I say, I just may be overly paranoid, but my security hat tends to get me to think that way.  The main point is to keep peple from bring their own personal devices in and attaching.  I think I have mitigated that.  I am just trying to think of any other scenerios while I am thinking about it.

Thanks for the feedback!

Also, how does MAR play into all of this.  (Machine Access Restriction)?

Nick,

I understand the difference between the two, what I am trying to understand is the benefit of using both together and if there are any issues with doing that, such as overhead.

Hi Vinay,

You need a button for "helpful answer"  Scott's answer was helpful, but not entirely what I was looking for.

I was introduced to it at CiscoLive.  It is definately something I am going to look into further.  The main question regarding ISE is how mature is it as a product.  Its obviously new and I know its supoosed to be some kind of combo of NAC and ACS. 

2nd question is, can I afford it.

I hear ya my friend...

You can also get creative with dyamic vlans with a WLC and radius server. This can be an optoin at some level that might help you ...