topic Re: NON-DOMAIN MACHINE AUTHENTICATION in Network Access Control

NON-DOMAIN MACHINE AUTHENTICATION

RustamRustamov1023 — Thu, 05 May 2022 11:27:10 GMT

Hi,

I authenticate the user using the local database of ISE and I also want to authenticate my machine. But this machine is not joined to AD.

How can I authenticate a nondomain machine?

Machine username is host/example so I created the same username in the local database with a random password. I saw in logs an error 22063 Wrong password.

How is it possible to authenticate also my non-domain machine?

Re: NON-DOMAIN MACHINE AUTHENTICATION

ahollifield — Thu, 05 May 2022 12:20:25 GMT

What is your EAP type? PEAP?

I am not an AD expert but AFAIK you cannot do this without Active Directory. AD manages the password on the machine, there is no way to change/update the machine password, hence why you are seeing incorrect password.

If this is what you are trying to do why? What is the use-case? What significance would a non-domain machine account have?

Re: NON-DOMAIN MACHINE AUTHENTICATION

RustamRustamov1023 — Thu, 05 May 2022 12:24:18 GMT

I use PEAP. This is the requirement of my customer so I have to authenticate user and also non-domain machine.

Is there any other methods to authenticate non-domain machine?

Re: NON-DOMAIN MACHINE AUTHENTICATION

ahollifield — Thu, 05 May 2022 12:37:05 GMT

First I would question the requirement. What exactly does the customer hope to gain by this?

EAP-TLS using a certificate issued to that computer (stored in the computer account) is a possible option. However, without AD or an MDM how are you going to get a certificate to that machine and manage the certificate renewal process?

Re: NON-DOMAIN MACHINE AUTHENTICATION

Flavio Miranda — Thu, 05 May 2022 12:38:28 GMT

If you are using ISE local Data Base, then you are not using AD.

If you selected "Internal User" under "Password Type" Then, you need to select the User Group. And you need to add your user on the User group.

Re: NON-DOMAIN MACHINE AUTHENTICATION

RustamRustamov1023 — Thu, 05 May 2022 16:31:31 GMT

Yes, I did it in the way that you described but there is a 22063 Wrong password error. The non-domain machine uses some username and password. I know which username it is from logs but I do not which password is it used.

The main question is how can I authenticate also my non-domain machine?

Re: NON-DOMAIN MACHINE AUTHENTICATION

Flavio Miranda — Thu, 05 May 2022 16:34:23 GMT

Did you create an Autorization profile as well ?

Take a look on this video.

https://www.youtube.com/watch?v=E_s9WHSVLYQ

Re: NON-DOMAIN MACHINE AUTHENTICATION

RustamRustamov1023 — Thu, 05 May 2022 16:34:25 GMT

Yes, I authenticated the non-domain machine with a certificate but now I have to do it using PEAP-MSCHAPv2

Re: NON-DOMAIN MACHINE AUTHENTICATION

RustamRustamov1023 — Thu, 05 May 2022 16:43:32 GMT

Yes, I created Authorization Profile and I have a wired dot1x environment, not wireless. There are no questions about user authentication there is a question about how to authenticate a non-domain machine using PEAP-MSCHAPv2?

Re: NON-DOMAIN MACHINE AUTHENTICATION

Arne Bier — Fri, 06 May 2022 00:48:08 GMT

Hi @RustamRustamov1023

You can authenticate a non-domain joined machine in the following ways. Since this machine is not domain joined, you cannot and will never succeed in performing computer authentication with EAP-PEAP

Therefore your choices of how to configure the native Win 10 supplicant are:

Computer authentication using EAP-TLS
User authentication using EAP-TLS or using EAP-PEAP
User/Computer authentication using EAP-TLS only (Win10 won't allow mixing of EAP methods unless you try EAP-TEAP)

Re: NON-DOMAIN MACHINE AUTHENTICATION

ahollifield — Fri, 06 May 2022 14:17:14 GMT

You can't. There is no concept of this AFAIK without being joined to a domain. Again though what is the use-case here?