topic Re: Authentication using username-password/certificates by ISE in Network Access Control

Authentication using username-password/certificates by ISE

raksec — Mon, 20 May 2019 07:49:50 GMT

Hello,

We have a use case where users should be authenticated by username-password/certificates both simultaneously for Windows/Mac. Is this possible?

Thanks,

Rakesh Kumar

Re: Authentication using username-password/certificates by ISE

Jason Kunst — Mon, 20 May 2019 12:09:29 GMT

Please explain further your exact needs and why:
We already have EAP chaining for windows that ties together machine and user credentials with Anyconnect NAM
For Mac and windows You can do machine certificates with CWA chaining

Re: Authentication using username-password/certificates by ISE

raksec — Mon, 20 May 2019 12:13:46 GMT

Not talking about EAP-chaining which combines user/machine authentication. Here is the use case:

Authenticating users by using password and certificates both simultaneously for windows/mac.
Authenticating machines by using password and certificates both simultaneously for windows/mac.

Re: Authentication using username-password/certificates by ISE

Mike.Cifelli — Mon, 20 May 2019 13:05:36 GMT

You have several security protocols that you can use to accomplish either/or. From a security standpoint you are better off using certificates with eap-tls. Why couldnt you enforce CAC authentication to the domain that authenticates the user based on user principal name, and then implement NAM to auth the computer via certificate and the user either with cert or common access card.

Re: Authentication using username-password/certificates by ISE

Jason Kunst — Mon, 20 May 2019 15:03:29 GMT

Supplicants only send 1 or the other at a time. You can do machine auth before login and then user auth upon login (windows). Please explain further why and how

Re: Authentication using username-password/certificates by ISE

Mike.Cifelli — Mon, 20 May 2019 15:55:56 GMT

If that is directed at me I missed the simultaneously piece. However, if there are already solutions available to auth both users & comps via certificates I dont see a benefit to adding username/pass. Just my opinion. Regardless, I dont know enough about the requirements to provide more details.

Re: Authentication using username-password/certificates by ISE

raksec — Tue, 21 May 2019 08:20:51 GMT

Guys,

First of all, my use case is not related to EAP-chaining. This is similar to what works for anyconnect where ASA validates the user's certificate first, then checks with RADIUS server to validate user's password.

Let me try again to explain the customer's requirement again.

User 'John' has a corporate laptop. For instance, keep laptop authentication out of this. When John tries to connect to network, he should be authenticated by his password as well as certificate provided to him. ISE should be able to validate both types of credentials.

Re: Authentication using username-password/certificates by ISE

hslai — Wed, 22 May 2019 16:57:00 GMT

Jason already answered. ASA supports multiple authentications combining with user/machine certificate for remote-access VPN connections while ISE is supporting mostly single authentications, except for EAP chaining and CWA chaining for wired and wireless.

I agreed with Mike.Cifelli that using MFA, such as smart cards (e.g. CAC cards), is the way to go.

Re: Authentication using username-password/certificates by ISE

raksec — Thu, 23 May 2019 04:01:53 GMT

Understood, thank you all.