802.1x EAPTLS GPO policy configuration push

aravikumar · ‎11-18-2019

Hello,

We are joining an 802.1x endpoint to domain and that would make the endpoint fetch machine certificate for the endpoint (as per GPO policy). If we push the supplicant configuration to do EAPTLS machine or user authentication, what is the behavior? My understanding is as following.

Before logging into the endpoint the machine will be authenticated using machine cert. After logging in and the user profile is created (after user cert is fetched) and the user logs in, EAPTLS user authentication happens as per the aforementioned supplicant configuration (machine or user).

Please validate my understanding and please do provide more insight in this regard.

Thanks,

Aravind.

Colby LeMaire · ‎11-18-2019

Your understanding is correct. When no one is logged in to the machine, it is the "machine state" and will present machine credentials. When a user logs in, it switches to "user state" and will present the user's credentials. User logs out, and it switches back to "machine state".

I don't recommend that configuration since it does potentially open a hole where someone could use their user credentials on a personal/rogue laptop to gain access. You should make sure the certificates that are issued to the machines and users is not exportable. That way, a user would not be able to export their certificate and move it to an unapproved device. Machine Access Restrictions (MAR) can also validate that there was a previous machine authentication; however, I don't recommend it since it relies on a cache. And if a laptop is never logged out of by the user, it will not present machine credentials first and users would be prevented from getting on.

If you truly need to authenticate the users in addition to the machines, then I would recommend EAP-Chaining with Anyconnect NAM. It is more complicated to deal with so I highly recommend considering doing machine-only authentication. Most environments don't need to differentiate access based on who the user is. Authenticating the machine is the priority to ensure no rogue devices are connected.

Arne Bier · ‎11-18-2019

And to add to that, EAP Chaining using AnyConnect has been "a thing" for so long that finally there is hope on the horizon for an open standard for this - a new EAP method called TEAP (Tunnel EAP) ... well, "new" ... since 2014 - RFC7170. It's a proposed standard but it should solve this issue once and for all.

I seem to recall seeing this on the ISE 2.7 feature list - but unless the OS's support it natively then the adoption will be slow.

aravikumar · ‎11-18-2019

Thank you for your reply. We have faced issue with AnyConnect NAM before and TEAP is yet to be supported by Microsoft Native Supplicant.

As an extension of my question, I would like to know what would in the following scenario.

The original windows image is configured on machine authentication only. when a user logs in , as part of GPO the supplicant setting is pushed for "user or machine authentication". When another user logs into the same machine would the supplicant setting change to machine authentication or would the settings remain as user or machine authentication? Also would the behavior be consistent while the new user tries to switch user, logs off and logs in and reboots?

Thanks,

Aravind.

Colby LeMaire · ‎11-18-2019

The supplicant configuration falls under the computer configuration portion of the GPO so it applies to the machine regardless of which user is logged in. If the computer is initially configured for machine only, then that is what it will have until the new GPO gets applied during bootup and connection to AD. If there is connectivity to AD before the user logs in, then the GPO will get applied to the computer. If you block network access until a successful 802.1x user authentication, then that computer won't be able to connect and would not get the GPO. You would have to configure a pre-auth ACL on the switchport or allow AD access after a successful machine authentication and then full access after the user authenticates.