topic Re: ISE Machine Authentication in Network Access Control

ISE Machine Authentication

Ricky Sandhu — Thu, 03 Jan 2019 01:54:17 GMT

Hey everyone, Happy New Year!

My question has to do with Windows Machine Authentication. I understand the in's and out's of how 802.1x works but having some confusion about the actual authentication of the machine. My understanding is, when a machine joins AD, an account is created and credentials are stored on the machine. After this, each time machine is rebooted, machine authentication takes place (before user authentication). What if I am using a wireless SSID that authenticates users via 802.1x (PEAP). This means wireless connection won't come up, until a user provides his/her credentials. How does the machine authenticate itself to the domain even if the user is not logged into the computer and no IP address is assigned to that computer.

Re: ISE Machine Authentication

pan — Thu, 03 Jan 2019 07:10:05 GMT

Is your SSID configured for dot1x? If yes then wireless NIC setting need to be changed as below:

Now change the setting for dot1x to user or machine auth.

Re: ISE Machine Authentication

nithinrs78901 — Thu, 03 Jan 2019 08:08:36 GMT

If you are using winidws 10 or 8 operating system,you should change the registry value.

Windows 8/10 Registry Changes for 802.1x Authentication

Press the Windows logo Key+R to open the Run box.
Type regedit in the Run box, and then press Enter.
Locate and then select the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

On the Edit menu, click New, and then click DWORD (32-bit)
Type LsaAllowReturningUnencryptedSecrets, and then press Enter.
Right-click LsaAllowReturningUnencryptedSecrets, click Modify…, type 1 in the Value data box, and then click OK.
Exit Registry

NOTE: No registry changes for windows 7

Re: ISE Machine Authentication

Mohammed al Baqari — Thu, 03 Jan 2019 08:21:16 GMT

Client IP address isn't required for PEAP authentication whether its wired
or wireless.

* Outer channel of EAP is established as part of SSID handshake similar to
wired connection.
* Next username/password for user authentication or machine-name/password
for machine authentication is encapsulated in EAP messages (inner channel)
* The credentials are exchanged with AP using EAP message, AP encapsulate
the messages over CAPWAP and sends them to WLC (this is using AP and WLC IP
addresses)
* Finally WLC decap CAPWAP messages and forward the EAP messages to ISE
using WLC/ISE IPs. ISE will decapsulate the messages to obtain name and
password for user or machine.

This is the same concept in wire. You can see that for entire handshake,
client IP isn't required. For WiFi, EAP handshake is part of joining SSID
and if it fails, SSID joining will fail.

Hope its clear.

**** Please remember to rate useful posts

Re: ISE Machine Authentication

paul — Thu, 03 Jan 2019 13:54:00 GMT

You would almost never want to do PEAP computer or user authentication as shown using the Windows Native supplicant. As mentioned if you set the supplicant for computer only you are ensuring the device is domain joined and thus a company asset. If you allow the supplicant to transition to user authentication using PEAP you are losing the fact that the user is on a company asset. You can use profiling/MAR cache to help determine the user is still on a company asset but each of those have their own pit falls.

Re: ISE Machine Authentication

Sheraz.Salim — Thu, 03 Jan 2019 14:29:32 GMT

@paulhow about passive-id and which you recommand would be more beneficial

1. profiling with AD, DNS, DHCP, HTTP, RADIUS

2. passive-id

3. if using posture, than HTTP and DHCP

Re: ISE Machine Authentication

Ricky Sandhu — Thu, 03 Jan 2019 18:33:41 GMT

Big thanks to everyone who responded but Mohammed hit the nail right on the head for this one. Thank you!

Re: ISE Machine Authentication

Sheraz.Salim — Thu, 03 Jan 2019 18:34:46 GMT

Might this help you.

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html