What is happening to the UserA dACL on the switch for that session? - The user login will trigger a new dacl to be applied to the switch port, the machine dacl is then removed since this triggers a new aaa session.
Does the workstation supplicant tells the NAD that UserA has disconnected? - When the user logs off, computer authentication then occurs which will apply the machine acl to the port, since this triggers a new aaa session.
Does the workstation supplicant performs a new Machine authentication so the Machine dACL will now be reapplied to the session or is the switch still stuck with UserA dACL for that session? - When the user logs off the machine acl should be applied, if the user locks the machine then the userA acl is still on the port.
Here is some information that will provide insight to when the machine authentication is triggered, logging off of the client should be one of those scenarios.
◦ Ethernet/WiFi transitions: Calling-Station-ID (MAC address) is used to link machine and user authentication; MAC address will change when laptop moves from wired to wireless breaking the MAR linkage.
◦ Machine state caching: The state cache of previous machine authentications is neither persistent across ACS/ISE reboots nor replicated amongst ACS/ISE instances.
◦ Hibernation/Standby: 802.1X fails when the endpoint enters sleep/hibernate mode and then moves to a different location, or comes back into the office the following day, where machine auth cache is not present in new RADIUS server or has timed out.
I think the best solution out right now is the anyconnect nam with eap chaining, they perform machine authentication when booting up and logging off, and they perform eap chaining when users authenticatioin each and everytime. You can also remove the machine authenticated condition and use the eap-chaining condition instead.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :