topic Re: Machine + user Auth/Authorize based only on AD in Network Access Control

Machine + user Auth/Authorize based only on AD

SorinPopa — Wed, 29 May 2024 10:58:24 GMT

Hello,

I'm searching a method of NAC implementation in a scenario using only AD (client doesn't have CA for generating certs yet) for Wired.

1st do -> Machine (Windows10) autentication with AD (Domain Computer).

2nd do -> User Auth + Authorize with dynamic Vlan x.

I'm not pretty sure how to configure this on ISE. There will 2 rules under Authorization? How can I tie this order together?

Also I want the user to enter the credential only one time, when he log on the station, i guess enable single sing on should be checked.

Re: Machine + user Auth/Authorize based only on AD

ahollifield — Wed, 29 May 2024 11:58:40 GMT

Why doesn't the client deploy a PKI/CA? What is the use-case for changing VLANs? PEAP is broken from an encryption standpoint and should no longer be used. Credential Guard in newer versions of Windows disables PEAP.

Re: Machine + user Auth/Authorize based only on AD

SorinPopa — Wed, 29 May 2024 12:15:16 GMT

Hello,

The client does not have the technical capability to implement right now a PKI/CA. The use case for changing vlans is for network segmentation for the departments like Sales, Marketing, IT, etc. Each OU group from AD with a different vlans so that we can deploy firewall rules on top.

Re: Machine + user Auth/Authorize based only on AD

ahollifield — Wed, 29 May 2024 12:31:28 GMT

The client should hire their preferred partner of choice to help them implement a PKI instead.

VLAN use-case makes sense if this for upstream firewall rules and should work fine for devices with a supplicant. I would also consider looking at SGTs instead of VLAN changes and using an SGT aware firewall to enforce instead. Just be wary about changing VLANs where clients are not aware a VLAN change has occurred and must request a new DHCP address post VLAN change.

Re: Machine + user Auth/Authorize based only on AD

thomas — Wed, 29 May 2024 23:36:39 GMT

Use TEAP as the authentication protocol to provide both machine + user credentials at the same time.

See > TEAP-Chaining with Tunneled EAP (TEAP) for a policy example.

Re: Machine + user Auth/Authorize based only on AD

Greg Gibbs — Thu, 30 May 2024 00:30:09 GMT

Just be aware that, while using TEAP with an inner method of MSCHAPv2 is possible, you will need to ensure that Credential Guard is disabled in order for MSCHAPv2 to work as @ahollifield pointed out earlier.
https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues

Credential Guard was implemented to mitigate specific vulnerabilities (such as pass-the-hash), so a better option would be to move to certificate-based authentication methods like EAP-TLS (as recommended by MS). Microsoft is actively moving to disable support for weak protocols, so I would not be surprised if they remove the ability to disable Credential Guard in the future.

Re: Machine + user Auth/Authorize based only on AD

SorinPopa — Thu, 30 May 2024 06:13:54 GMT

Ok, thank you very much guys for all the usefull information. I will try it and speak with the customer to migrate to PKI/CA asap.