cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

145
Views
0
Helpful
8
Replies
Cisco Employee

Authentication using username-password/certificates by ISE

Hello,

 

We have a use case where users should be authenticated by username-password/certificates both simultaneously for Windows/Mac. Is this possible?

 

Thanks,

Rakesh Kumar

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Authentication using username-password/certificates by ISE

Supplicants only send 1 or the other at a time. You can do machine auth before login and then user auth upon login (windows). Please explain further why and how

View solution in original post

Cisco Employee

Re: Authentication using username-password/certificates by ISE

Jason already answered. ASA supports multiple authentications combining with user/machine certificate for remote-access VPN connections while ISE is supporting mostly single authentications, except for EAP chaining and CWA chaining for wired and wireless.

I agreed with Mike.Cifelli that using MFA, such as smart cards (e.g. CAC cards), is the way to go.

View solution in original post

8 REPLIES 8
Highlighted
Cisco Employee

Re: Authentication using username-password/certificates by ISE

Please explain further your exact needs and why:
We already have EAP chaining for windows that ties together machine and user credentials with Anyconnect NAM
For Mac and windows You can do machine certificates with CWA chaining


Cisco Employee

Re: Authentication using username-password/certificates by ISE

Not talking about EAP-chaining which combines user/machine authentication. Here is the use case:

 

  • Authenticating users by using password and certificates both simultaneously for windows/mac.
  • Authenticating machines by using password and certificates both simultaneously for windows/mac.
Rising star

Re: Authentication using username-password/certificates by ISE

You have several security protocols that you can use to accomplish either/or. From a security standpoint you are better off using certificates with eap-tls. Why couldnt you enforce CAC authentication to the domain that authenticates the user based on user principal name, and then implement NAM to auth the computer via certificate and the user either with cert or common access card.
Cisco Employee

Re: Authentication using username-password/certificates by ISE

Supplicants only send 1 or the other at a time. You can do machine auth before login and then user auth upon login (windows). Please explain further why and how

View solution in original post

Rising star

Re: Authentication using username-password/certificates by ISE

If that is directed at me I missed the simultaneously piece. However, if there are already solutions available to auth both users & comps via certificates I dont see a benefit to adding username/pass. Just my opinion. Regardless, I dont know enough about the requirements to provide more details.
Cisco Employee

Re: Authentication using username-password/certificates by ISE

Guys, 

 

First of all, my use case is not related to EAP-chaining. This is similar to what works for anyconnect where ASA validates the user's certificate first, then checks with RADIUS server to validate user's password. 

 

Let me try again to explain the customer's requirement again.

 

User 'John' has a corporate laptop. For instance, keep laptop authentication out of this. When John tries to connect to network, he should be authenticated by his password as well as certificate provided to him. ISE should be able to validate both types of credentials.

Cisco Employee

Re: Authentication using username-password/certificates by ISE

Jason already answered. ASA supports multiple authentications combining with user/machine certificate for remote-access VPN connections while ISE is supporting mostly single authentications, except for EAP chaining and CWA chaining for wired and wireless.

I agreed with Mike.Cifelli that using MFA, such as smart cards (e.g. CAC cards), is the way to go.

View solution in original post

Cisco Employee

Re: Authentication using username-password/certificates by ISE

Understood, thank you all.