topic Re: Emulate Smart Card in Network Access Control

Emulate Smart Card

ryanbess — Thu, 22 Feb 2024 01:54:28 GMT

Trying to lab some things up. Does anyone have a recommendation for software that emulates a PIV/CAC card?

Re: Emulate Smart Card

Arne Bier — Thu, 22 Feb 2024 02:21:50 GMT

I have never heard of this - just did a google search. But I am unclear what you're trying to emulate. I don't know how this solution is implemented, but like most MFA token-based solutions, they tend to run as a RADIUS service. If that is the case with PIV/CAC solution, then you could spin up another ISE VM, and have that act as your PIV/CAC server. Create some network access user identities there. Then, in your main ISE, configure a remote RADIUS server that uses the other ISE as a "RADIUS Token server" for token authentication. I have done this before to simulate RSA token servers. Of course, you don't have a real token that has a dynamic password/code - but that is not what you're testing - the password would simply be a fixed password that exists in your fake PIV/CAC password. What you're testing is the ISE RADIUS functionality.

Re: Emulate Smart Card

ryanbess — Thu, 22 Feb 2024 02:29:59 GMT

Hey arne

im trying to mock-up what I posted on the teap question. I need to support piv and username password for user logins. Looks like the nam module may have this functionality

Re: Emulate Smart Card

Arne Bier — Thu, 22 Feb 2024 02:47:36 GMT

Oh right - if you want to simulate EAP-TEAP (or any TEAP method) then wpa_supplicant is also an excellent option.

Have a look here at some options

Re: Emulate Smart Card

Ruben Cocheno — Thu, 22 Feb 2024 08:40:25 GMT

@ryanbess

I guess you want to grab the authentication from PIV/CAC card, so Anyconnect NAM will give you that with smartcards just look into here https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1/configure_nam.html

Re: Emulate Smart Card

ryanbess — Fri, 23 Feb 2024 00:24:01 GMT

ultimately I'm trying to lab up a few scenarios in my virtual lab. One thing i want to see what happens if i configure the windows supplicant to do PEAP with the authentication method "Secured password (EAP-MSCHAP V2). I get what would happen from the computer side, the computers credentials would be sent to ISE. But what would happen if the user authenticated via PIV? I get the computer would unlock but what would the supplicant do for the user authentication? Would it still send the cert, would it send a cached credential, or would it do nothing.