Have a scenario where a customer is using a Windows supplicant and would like to use 802.1x certificate based port authentication.
Machine certs used to only allow corporate machines onto the network and re-auth using user certs when a user logs on to the system with elevated policy privileges dependant on whom logs in - which all works.
The question is; is there a means to elevate dynamic policy rule assignment based on AD group without user certs? The device still uses machine cert to connect to the network but the use of roaming certificates is proving a challenge on the Microsoft side of things, its a little clunky!?. User certs are needed to pass the username as part of the authorisation process to assign the associative rule in NAC based on AD group.
I know you can argument the XMC database with username details, say through kerberos snooping, API integration say with Palo Alto. The problem is in the past when I've tried using this information as part of the NAC rules the information appears after the fact of the port being authenticated.
One example of that was using DHCP fingerprint to determine device type, say a specific printer to complement MAC authentication, but because that information isn't available after the fact of authentication you can't use it.
Its probably possible, and possibly many different ways of doing it, but be interested in anyone's thoughts,
Many thanks in advance