topic Re: ISE 2.7 Machine + User authentication in Network Access Control

ISE 2.7 Machine + User authentication

Piotr Grabowski — Fri, 01 May 2020 16:42:07 GMT

Hi,

I found a few discussions about the subject but I'd like to confirm. My idea (for wireless connections) is to use machine auth before user logins and user auth after login. I configured machine group verification as a first step and "was machine authenticated" + user group verification as a second one and the situation is that when I'm logged in and connecting to wireless - it works. Before login (on a login screen), when I try to connect to wireless it says that the certificate is needed for connection (both - user and machine certs are of course installed). In a wireless profile "machine or user auth" is configured.

What should I do/check to make it work? Is it possible to configure it that way in Windows 10?

Regards,

Piotr

Re: ISE 2.7 Machine + User authentication

Colby LeMaire — Fri, 01 May 2020 18:47:58 GMT

In the world of Windows, you can either be in one of two states at a time, NOT both at the same time. When you are not logged in, the computer is in "machine state" and will present machine credentials. When you login, the computer is now in "user state" and will present user credentials. So if it works when you are logged in, then you know the user certificate is good and everything is fine there. If it does not work when you are logged out, then that tells me there is an issue with the computer certificate or Windows ability to choose the correct certificate. Open MMC (run as administrator), add snap-in for "Certificates", choose machine/computer account. In there, expand the folder under Certificates->Personal. That is where the computer certificates will be stored if they are there. If you find your certificate there that you want to use, make sure the Extended Key Usage (EKU) includes "Client Authentication". Also, make sure there are no other certificates with the same EKU. If there are, then the computer is having a hard time picking the correct certificate.

Re: ISE 2.7 Machine + User authentication

hslai — Sat, 02 May 2020 05:46:52 GMT

Colby LeMaire is correct on this.

However, the upcoming Windows 10 May Update (v2004) is going to support TEAP. With EAP Chaining support in TEAP, we may use EAP-MSCHAPv2 for user auth and EAP-TLS for machine auth.

REF: Change Tracking of [MS-GPWL]: Group Policy: Wireless/Wired Protocol Extension shows

> ... Also updated .. that 'EAP-TEAP method is supported on Windows 10 v2004 and later. ...

Re: ISE 2.7 Machine + User authentication

Piotr Grabowski — Sat, 02 May 2020 09:39:26 GMT

Thanks, I will test and confirm it on Monday but I'm pretty sure that when I choose "computer auth" in WLAN configuration - it works fine authenticating the machine, when "user auth" is selected it also works fine with user's certificate. The issue is when "user or computer" is selected - after restarting Windows, when I try to connect to wireless on a login screen, it tells me that "this connection requires a certificate, contact administrator".

Can it be something with the wireless profile in Windows?

Re: ISE 2.7 Machine + User authentication

Colby LeMaire — Sat, 02 May 2020 15:16:31 GMT

It is possible. Can you post screenshots of your wireless profile configuration?

Re: ISE 2.7 Machine + User authentication

Piotr Grabowski — Sat, 02 May 2020 18:01:21 GMT

I don't have access to my test laptop today, but as far as I remember:

WPA2-Enterprise, Smart-card or certificate, Use a certificate + simple cert selection.

Advanced settings: user or computer, enable single sign-on (60 sec).

I will check it on Monday

Re: ISE 2.7 Machine + User authentication

hslai — Sun, 03 May 2020 04:02:46 GMT

Try and go without the option [ ] Enable single sign-on for this network.

Re: ISE 2.7 Machine + User authentication

Piotr Grabowski — Mon, 04 May 2020 15:32:49 GMT

So - I ran some test today and unfortunately no sucess. I have three WLAN profiles configured: user-auth, machine-auth and both-auth, all of these are identical besides auth type.

When I'm logged into Windows - all three profiles are working fine (user - user certificate, machine - machine cert, both - user cert).

On a login screen - "user" and "machine" are ok but "both" can't find the certificate. It also looks like "was machine authenticated" flag is not being set after hitting the first rule (machine group check).

Does it require to configure something in AD maybe? I've also checked it with "single sign-on" enabled and disabled with the same result.

Re: ISE 2.7 Machine + User authentication

vsurresh — Thu, 15 Apr 2021 10:21:45 GMT

I'm hoping to get some help with EAP-Chaining which always confuses me. I have read few articles and they are saying when using EAP-TLS, I can only do machine OR user authentication but not both at the same time. However, what is stopping me from create an authorization policy with two conditions:

Permit access if:

the user is part of the domain AND

the machine is part of the domain.

Doesn't it mean I'm doing machine AND user authentication without EAP chaining?

Re: ISE 2.7 Machine + User authentication

Greg Gibbs — Thu, 15 Apr 2021 23:35:43 GMT

It has to do with how the Windows supplicant works. Have a look at this blog written by one of the ISE TMEs.

https://www.networkworld.com/article/2940463/machine-authentication-and-user-authentication.html

Windows has two distinct states for Computer vs. User. When moving to a different state, the supplicant initiates a new RADIUS session, so the authZ policy you're describing will not work. The only real way to tie the Computer and User credentials together is via EAP Chaining using either AnyConnect NAM or TEAP in Windows.

Re: ISE 2.7 Machine + User authentication

thomas — Tue, 20 Apr 2021 05:20:05 GMT

EAP-Chaining means you are chaining together both the machine credential and the user credential in a single authentication transaction.

Only 2 protocols support this: EAP-FAST and TEAP.

EAP-FAST is only supported on Cisco AnyConnect with ISE.

TEAP is only supported by Windows 10 20H1/19041 and later native supplicant with ISE.

See these policy examples:

Please ask any followup questions in a new thread.