topic Re: Question EAP-TLS security in Network Access Control

Question EAP-TLS security

athan1234 — Mon, 13 Feb 2023 08:53:13 GMT

Dear all:

I have a few inquiries.

My ISE EAP -TLS user certificate is configured.

What will happen if a person copies this user certificate and pastes it into an another PC, enabling him to connect to the network?

How is the flow certificate between AD , iSE and USER

Is it feasible to increase security and add extra user and password?

Re: Question EAP-TLS security

Rob Ingram — Mon, 13 Feb 2023 08:57:47 GMT

@athan1234 it depends, do the users have permissions to export their user certificate?

You could use EAP chaining using TEAP, which combines machine and user authentication. This could be certificates or username/password. Certificates are considered more secure.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

Re: Question EAP-TLS security

athan1234 — Tue, 14 Feb 2023 08:03:02 GMT

hi @Rob Ingram so thanks for your reply

some questionsover TEAP
What is the advantage in my situationusing use TEAP?
I've read that using TEAP, you can authenticate both the computer and the user at the same time, but I'm not sure what the benefit of doing it

Could you provide me with a short example?

Regarding machine and user certificates

My cliencertificate is merely a user certificate.

I want to understand when you use user certificate it does not involve AD. It only checks with AD for the athorization it is right? CN has to be the same as AD username otherwise ISE will not be able to look up the user against AD to fetch the user group info.
Only the CN name will show up on the report so that's all you have to query against.

In order to strengthen security, it is necessary to add the user's policy authorizacuin on ISE with AD to the authorization policy.
otherwise it is not required?

I'm uncertain about the machine certificate.
I wish to comprehend when you have a machine certificate, but it's unclear to me.
What is the advent6age for if it only controls the machines that belong to the dominion and has a machine certificate?
how is the process when using a certificate on a machine?

What is the propuse for the ISE authorization policy assuming the True machine.

So thanks

Re: Question EAP-TLS security

Rob Ingram — Tue, 14 Feb 2023 08:23:18 GMT

@athan1234 the benefit of using EAP Chaining (TEAP) is if the user is authenticated using TEAP on a computer that was authenticated using TEAP, ISE would know that the user is connecting from an authenticated machine. It's considered more secure.

When you use certificates for authentication, you can optionally lookup to AD for authorisation and check group membership and apply to authorisation rules.

You'd want to use machine authentication so device has network access, to process computer group policies, allow AV, Windows updates etc without a user logged into the device.

Re: Question EAP-TLS security

athan1234 — Fri, 17 Feb 2023 21:12:18 GMT

hi @Rob Ingram

I have one more query.sorry

My idea was for incrise the security to do an authorritazion condicion the user has to belong AD especific group
If the user is an AD member, pass I can´t to do it and i have a dilema because my customer will also have mobiles corporate with a certificate.
and ask me how to make this SSID as secure as possible while the user is connecting via a mobile device.
Is there a any policy authoritation condition for do it more secure?

Re: Question EAP-TLS security

Rob Ingram — Fri, 17 Feb 2023 21:10:25 GMT

@athan1234 Using TEAP (EAP Chaining) is the most secure authentication method. If using TEAP with machine and user certificates, ISE can do a lookup to AD against the username in the certificate to determine AD group membership for authorisation.

For the mobile devices I doubt they can do TEAP, so you would need to use EAP-TLS with a device certificate, which can be deployed via an MDM.

Re: Question EAP-TLS security

athan1234 — Mon, 20 Feb 2023 16:57:33 GMT

Hello, Rob Ingram
Once more, many thanks.

So, the following scenario for my client is possible:

Assume that my clients accept wireless TEAP for PC connections and EAP-TLS for mobile corporations.

It will be feasible to develop two distinct authentication and authentication mechanisms

If TEAP is used for authentication and this authorization

If EAP-TLS authentication is used and , this authentication

Do you believe it to work?

Re: Question EAP-TLS security

Rob Ingram — Mon, 20 Feb 2023 17:01:44 GMT

@athan1234 yes, define the EAP-TLS in the authorisation rule, only the client configured to use EAP-TLS will match that rule. The client devices configured to use TEAP will not match that rule. That's were you'd configure the EAP Chaining.

Re: Question EAP-TLS security

athan1234 — Tue, 21 Feb 2023 15:17:31 GMT

@Rob Ingram

Well, you are correct; nonetheless, I want to talk to you about mobile authentication using TLS.

If TEAP is used for authentication and this authorization
If EAP-TLS authentication is used for corp mobile this authorization.

I'm not sure how to build up a condition because my client's does not want to have a MDM. Do you understand me?
Any suggestions when traffic is coming from mobile corporations? ( certificate )

Re: Question EAP-TLS security

Rob Ingram — Tue, 21 Feb 2023 15:27:57 GMT

@athan1234 if Corporate devices use TEAP and mobile devices use EAP-TLS, you just need to distinguish between using at least the authentication method.

Use the condition EAP-TLS in an authorisation rule, then you know only the mobile devices will match that rule. You can also add a condition to match on the certificate issuer, such as your internal CA only. How you'll get a certificate on the mobile devices without an MDM is another problem.

For the corporate devices you can use "Network Access·EapChainingResult Equals User succeeded and machine succeeded" so you know TEAP was the authentication protocol used, the mobile devices will not match these rules. You can do an AD group lookup for the TEAP devices, for group membership of the users and add that as a condition in one of the rules as well.

Re: Question EAP-TLS security

athan1234 — Tue, 21 Feb 2023 20:38:06 GMT

Thanks @Rob Ingram

Apparently apparently he has how MDM intune .