topic Re: ISE - EAP Chaining (TLS vs MSCHAP) in Network Access Control

ISE - EAP Chaining (TLS vs MSCHAP)

mitchell helton — Fri, 21 Feb 2020 18:54:14 GMT

Good morning!

I'm having a tough time wrapping my brain around something, and hope you experts can help. I also hope this isn't too vague of a question, and if it is, I can give specifics around why I'm asking.

If I'm deploying user certificates via AD/GPO, is there any value in using certificates (EAP-TLS) for user authentication? If someone captures a username/password, once they login as that user the certificate will be deployed to them any way.

Am I missing something? I had originally wanted to do EAP chaining with TLS for user and machine and now I'm wondering if using TLS for machine and MSCHAPv2 for the user makes more sense.

So, I guess my question is, what value does TLS for user authentication have within chaining as opposed to MSCHAPv2?

Thank you!

mitch

Re: ISE - EAP Chaining (TLS vs MSCHAP)

Rob Ingram — Tue, 24 Apr 2018 13:26:37 GMT

Hi,
Using User Certificates for authentication in some environments can be a pain E.g. multiple users logging in and out of the same computer.

I don't see any issue using EAP Chaining (EAP-TLS for Computers and PEAP/MSCHAPv2 for User authentication). As long as the ISE rule is configured specifically = if User and Computer passed authenticiation then permit. If computer authentication fails but user authentication passes, either deny or limit the access with a DACL/TrustSec SGT etc.

HTH

Re: ISE - EAP Chaining (TLS vs MSCHAP)

mitchell helton — Tue, 24 Apr 2018 20:05:39 GMT

That sounds reasonable to me. Thanks so much for the input and advice!