Exactly what I'm looking for! +1 *10^6!!!

Option 1 seems a bit problematic, as those ocassional user reboots will be annoying and look like things are not reliable.  I'm not sure where the "MAR timer" is.  The one timer I am aware of, called the Reauthentication Timer under Policy Results --> Authorization Profiles seems to max out at 65335 seconds, which is about 18 hours.

I'm playing with Option 2 now, and that will probably be the way I go.  I'll assume that if only "Computer Authentication" is selected in the Windows Security Wireless settings, that when the machine wakes up, thatis the credential that will be sent, as that's the only one Windows has to work with.  User Authentication is still necessary to get onto the PC so it's not a complete failure of concept.

Option 3 is possible, and we have AnyConnect and its Web Security module rolled out to users.  As I've never used NAM, I'm hesitant, as the transition is supposed to be transparent to the users, and I've never used NAM to know how intrusive it is to install, configure, use, etc.  In taking a look at the TrustSec paper, I have the following question:

My users are familiar with the AnyConnect User Interface, in that it is installed on every laptop, and presumably some of them need it to access anything via VPN.  However, when they are on site, they do not utilize the interface. Web Security is enabled, but they never see the UI unless they go to the System Tray.  Additionally, we're not currently ising ISE to manage wired access.  It appears that once NAM is installed, the user MUST use the AnyConnect User Interface when connected via WiFi.  Is this a true statement?  If so, presumably, if we were to use ISE for wired access, they''d need to use it there too.

Lastly, if we were to use NAM, I'd need to be able to install and configure it via SCCM or some other automated means.  Users do not have admin rights, and cannot install software themselves. I'm thinking everybody's profile would be similar, if not identical.

I'll leave my Apple Macintosh concerns for another day.

Glad I was able to help :) Now to answer your questions:

#1 - The MAR timer is located under Administration->Identity Management->External Identity Sources->Active Directory->Advanced Settings. There you will see an option called "Enable Machine Access Restrictions" and right below that you will find the MAR timer

 #2 - Yes, you are correct. The machine credentials will be used to authenticate on the network while user credentials will be used to log the user on the machine.

#3 - You are correct again. The Cisco NAM client will basically replace the native windows supplicant. Thus, users will have to use it for personal type connections as well. You should download and install it on your machine try the experience. 

#4 - If the users do not have local admin rights then you will have to push the software and the appropriate settings/profiles via SCCM/Config Center or something similar

#5  - I haven't tried this with Apple computers but I have heard that they can also be joined to the domain. So I suppose it could be possible that you can perform machine authentication with them as well I am just not sure. The link below sheds some light:

https://discussions.apple.com/thread/4990427

Thank you for rating helpful posts! 

OK, option 2 seems to be working for me,  I had a machine sleeping all weekend, and this morning it woke right up and I had full access!  I seem to recall a similar issue maybe 6-7 years ago in another universe, far, far away.  Results attached.  Now to share this solution with my testing team.

I played with option 3 for a bit as well, and the machine I was using already had AnyConnect VPN and Web Security, as well as DART and the Web Security Profile Editor.  I installed NAM via the standalone MSI file, and the only weird thing I saw was that the NAM Profile Editor was nowhere to be found.  I was hoping that it would show up, as I believe I need to place a valid profile on the ASA or in an SCCM bundle so it would download.  I don't expect users being allowed to edit the profile.  However, since option 2 seems to be working, I'm going to give up on this option, as it isn't transparent.

Glad to hear that option 2 is working for you! For your second question: You will need to download the 
"Profile Editor" from cisco.com. The name of the file for the latest version is: anyconnect-profileeditor-win-3.1.05170-k9.exe

Thank you for rating helpful posts! 

Dear Neno Spasov ,

I just want to understand is that if what exact access we need to be allowed in Machin authnetication acl..?

Thanks 

Pranav

I am sorry Pranav but I am not sure what exactly you are asking. Can you please elaborate?

Pranav, if the devices you need the DACLs on are wireless controllers, you need to create the ACLs ON the WLCs AND refer to them by name in the ISE AuthZ Policy Results (Airespace ACL Name).  The WLCS do not actually download they are simply called by name.

If you do not have a corresponding name on the WLC, your traffic will not pass, nor will you have a log of it being dropped.

Hi ,

Thanks for reply.. Can you tell me what contents need to be mentioned in Machine Acl ?

What is standard way are we need to enable domain controllers on IP level or TCP/UDP port secific in machin logon acl..

Thanks 

Pranav

I don't know your security requirements, so this becomes a difficult question to answer 100% correctly.

That being said, because the devices are using machine authentication and a user credential, your machine ACL probably doesn't need to be bullet-proof. You could test the concept by placing one rule that permits any traffic, and then filter it down further as need be.

Thanks CSCFitzie_2 ,

Thanks a lot for your help..

Thanks 

Pranav

Keep in mind that lenghty dACLs can be not only a pain to manage but can also deplete TCAM resources on your switch. Take a look at the following link as an example:

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-4000-series-switches/66978-tcam-cat-4500.html

Thank you for rating helpful post!