topic Re: Issues in PEAP Authentication--Cisco ISE in Network Access Control

Issues in PEAP Authentication--Cisco ISE

afsal abdul gafoor — Mon, 10 Sep 2018 11:42:21 GMT

Dear Community,

We are facing issues in the below setup.

PEAP

clients--} WLC ---Cisco ISE---AD

MSCHAPv2

We have used Private CA certificates to all our local machines and its getting authenticated using validate certificate options in windows property. In this scenario, if users trying there on BYOD devices also with domain account , its getting authenticated.

Kindly help us how to get rid of that ,and our requirement is to achieve windows/AD based authentication with certificate.

Re: Issues in PEAP Authentication--Cisco ISE

ognyan.totev — Wed, 25 Jul 2018 11:41:02 GMT

If you use different certificate for BYOD they will never be authenticated .

But i assume you use same certificate for BYOD too .

In mine deployment i dont have BYOD but all machines in domain are authenticated by certificate .

Re: Issues in PEAP Authentication--Cisco ISE

ognyan.totev — Wed, 25 Jul 2018 11:42:10 GMT

I forgot please see here https://community.cisco.com/t5/security-documents/cisco-ise-byod-deployment-guide/ta-p/3641867

Re: Issues in PEAP Authentication--Cisco ISE

afsal abdul gafoor — Wed, 25 Jul 2018 11:49:11 GMT

Ognyan,

Thank you for your comments. But please note certificates are deployed in machines only and not through BYOD.

We are using MS PEAP (MS CHAP v2) with Validate Client certificate on the laptop. I want to restrict only the clients with cert installed to connect to the SSID. What should be my ISE Authentication and Authorization policies?

Re: Issues in PEAP Authentication--Cisco ISE

Alex Pfeil — Wed, 25 Jul 2018 12:01:16 GMT

All you must do is remove username and password as a valid authentication. If you have some groups that you want to authenticate, use Active Directory groups and only allow those groups to get on the network. To remove username and password to Active Directory, you have a policy in place. You can simply go to that policy and change it to deny, or remove it.
Thanks,
Alex

Re: Issues in PEAP Authentication--Cisco ISE

Jason Kunst — Wed, 25 Jul 2018 12:02:16 GMT

Seems to me you should configure your valid machines to use EAP-TLS certificate based authentication and not to use PEAP

Under your authentication rules only allow EAP-TLS or under authorization

Re: Issues in PEAP Authentication--Cisco ISE

afsal abdul gafoor — Wed, 25 Jul 2018 12:18:03 GMT

We can use only PEAP with MSCHAP-v2, as the we are not authorized change the global SSID requirement.

Keeping this setting , how we can restrict the clients who don't have certificates.

Our setting is like this.

Re: Issues in PEAP Authentication--Cisco ISE

afsal abdul gafoor — Wed, 25 Jul 2018 12:26:22 GMT

Hello Alex,

Thank you for your comments, please clarify how to remove specifically for mobile accounts if we are using AD based authentication.

We dont want machines without certificates to connect to the network,currently there is only security prompting happening ( if users give domain account in their mobile), where as it should work normally if using laptops with certificates.

Re: Issues in PEAP Authentication--Cisco ISE

afsal abdul gafoor — Wed, 25 Jul 2018 12:28:24 GMT

Ognyan,
have you tried connecting BYOD/personal devices to network using domain accounts and ignoring the security prompt in your deployment?

Re: Issues in PEAP Authentication--Cisco ISE

Jason Kunst — Wed, 25 Jul 2018 12:32:16 GMT

You can do this in ISE

Authorization rule
If SSIDNAME and EAP-TLS then permit access

Otherwise if SSIDNAME and PEAP then redirect them to HTML page or deny access

It’s still not clear exactly what you’re trying to accomplish if you can’t just restrict SSID but don’t allow anyone without a certificate to use it

There are some examples in the BYOD guide mentioned before of similar rule configurations and screenshots

Re: Issues in PEAP Authentication--Cisco ISE

hslai — Wed, 25 Jul 2018 12:32:22 GMT

What shown in your doc is the client-side settings and the server certificate validation is up to the clients.

To limit what clients to authorized on, please see Slides 343 ~ 379 of Reference Presentation from Advanced ISE Services, Tips and Tricks - BRKSEC-3697
Event:2018 Orlando
Craig Hyps, Prinicipal Technical Marketing Engineer

Re: Issues in PEAP Authentication--Cisco ISE

afsal abdul gafoor — Wed, 25 Jul 2018 12:58:52 GMT

Jason ,

Thank you for your comments. Please note this

We are not allowed to change the authentication requirement as the SSID is for global users ,and it has to connect to their laptops provided the required certificate is installed. The hindrance is if any employee uses his domain credential to his personal device, it will connect even though client doesn't have certificate.

At this moment we cannot use EAP-TLS , but only on PEAP with certificates.

Re: Issues in PEAP Authentication--Cisco ISE

Alex Pfeil — Wed, 25 Jul 2018 13:04:16 GMT

1. Go to Policy, Policy Sets.
2. Enter the policy that you are using for authentication, click on the > sign.
3. Look at the authentication policy.
4. If there is not a username and password authentication policy, you may have a default policy setup that you need to look at.

Re: Issues in PEAP Authentication--Cisco ISE

Alex Pfeil — Wed, 25 Jul 2018 14:22:14 GMT

I was thinking about the issue you have and you probably are not requiring a certificate in the authentication policy. Create a library condition which matches the certificate, and then add that to the policy. Then, a certificate will be required.

Thanks,

Alex

Re: Issues in PEAP Authentication--Cisco ISE

Arne Bier — Wed, 25 Jul 2018 22:00:39 GMT

Maybe I missed something, but the way to prevent any Supplicant from succeeding in trying the EAP-TLS is method, is for ISE not to offer it in the TLS negotiation.

If a supplicant requests EAP-TLS and ISE isn't able to offer it, then the conversation ends there.

This is done via the Allowed Protocols section in Authentication. Create a new Allowed Protocols profile and then only allow EAP-PEAP.

Re: Issues in PEAP Authentication--Cisco ISE

afsal abdul gafoor — Thu, 26 Jul 2018 06:10:02 GMT

Arnie,

The SSID is a global office requirement , where we dont have any control or we are not the decision making authority .SSID for the client settings is as I showed earlier and we cannot make any changes in the authentication hence we have oblige only PEAP.