https://community.cisco.com/t5/network-access-control/user-machine-auth-question/m-p/3549558#M528586 <HTML><HEAD></HEAD><BODY><P>Sorry All,</P><P></P><P>My question is related to ACS but your answer will fit for both ISE and ACS. </P><P>We configured two rules. First one is for machine auth and second one is for user auth. And we configured windows supplicant as "user and machine authentication". We are not using anyconnect.</P><P>I think this configuration is known as MAR.</P><P>In ACS logs we see TLS handshake messages. Does it apply EAP-TLS with PEAP here? Or is it just an illusion?</P><P></P><P><IMG alt="image001.png" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/109043_image001.png" style="height: auto;" /><IMG alt="image002.png" class="jive-image image-2" src="https://community.cisco.com/legacyfs/online/fusion/109044_image002.png" style="height: auto;" /></P></BODY></HTML> Mon, 10 Jul 2017 20:32:45 GMT ozgguler 2017-07-10T20:32:45Z https://community.cisco.com/t5/network-access-control/user-machine-auth-question/m-p/3549558#M528586 <HTML><HEAD></HEAD><BODY><P>Sorry All,</P><P></P><P>My question is related to ACS but your answer will fit for both ISE and ACS. </P><P>We configured two rules. First one is for machine auth and second one is for user auth. And we configured windows supplicant as "user and machine authentication". We are not using anyconnect.</P><P>I think this configuration is known as MAR.</P><P>In ACS logs we see TLS handshake messages. Does it apply EAP-TLS with PEAP here? Or is it just an illusion?</P><P></P><P><IMG alt="image001.png" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/109043_image001.png" style="height: auto;" /><IMG alt="image002.png" class="jive-image image-2" src="https://community.cisco.com/legacyfs/online/fusion/109044_image002.png" style="height: auto;" /></P></BODY></HTML> Mon, 10 Jul 2017 20:32:45 GMT https://community.cisco.com/t5/network-access-control/user-machine-auth-question/m-p/3549558#M528586 ozgguler 2017-07-10T20:32:45Z https://community.cisco.com/t5/network-access-control/user-machine-auth-question/m-p/3549559#M528587 <HTML><HEAD></HEAD><BODY><P>Yes, MAR is used with Windows native supplicant.</P><P>During PEAP, the client will get the EAP server certificate and then have the option to validate it. That might be what you are seeing. I can't see that in your screenshot.</P></BODY></HTML> Mon, 10 Jul 2017 21:02:31 GMT https://community.cisco.com/t5/network-access-control/user-machine-auth-question/m-p/3549559#M528587 hslai 2017-07-10T21:02:31Z https://community.cisco.com/t5/network-access-control/user-machine-auth-question/m-p/3549560#M528588 <HTML><HEAD></HEAD><BODY><P>But this is not a certificate authentication, right? Is it still needed to do eap chaining for real machine+user auth?</P><P></P><P>Bonus question: Are they ways to bypass MAR? For example, what happens if i imitate a domain PC's hostname on a non-domain pc?</P><P></P><P>Thanks</P><P></P><P>Sent from my iPhone</P></BODY></HTML> Mon, 10 Jul 2017 22:31:40 GMT https://community.cisco.com/t5/network-access-control/user-machine-auth-question/m-p/3549560#M528588 ozgguler 2017-07-10T22:31:40Z https://community.cisco.com/t5/network-access-control/user-machine-auth-question/m-p/3549561#M528589 <HTML><HEAD></HEAD><BODY><P>MAR typically uses password auth. If using certificates, then you need to ensure performing binary compare and use AD id store, else it would not work.</P></BODY></HTML> Mon, 10 Jul 2017 22:35:46 GMT https://community.cisco.com/t5/network-access-control/user-machine-auth-question/m-p/3549561#M528589 hslai 2017-07-10T22:35:46Z https://community.cisco.com/t5/network-access-control/user-machine-auth-question/m-p/3549562#M528590 <HTML><HEAD></HEAD><BODY><P>Please also make sure MAR is enabled in external ID store for AD</P><P><IMG alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/109052_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P></BODY></HTML> Tue, 11 Jul 2017 01:33:14 GMT https://community.cisco.com/t5/network-access-control/user-machine-auth-question/m-p/3549562#M528590 kthiruve 2017-07-11T01:33:14Z