cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

134
Views
1
Helpful
3
Replies
Highlighted
Beginner

Common Endpoint Authentication Scenarios

Hello,

I'm in the process of implementing 2.3 with a mixture of Windows 7 and Windows 10 [wired] endpoints but I'm curious what people consider "standard" in terms of 802.1x authentication for Windows workstations (wired or wireless). More specifically, PEAP-EAP-MSCHAPv2 or PEAP-EAP-TLS?

I have gotten both working but am currently leaning towards EAP-TLS. Using group policy to configure Wired AutoConfig conjunction with our Windows Certificate Services Enterprise CA, things seem to work pretty well (surprisingly fast). I want to make sure that I'm not trying to do anything out of the ordinary though. In other words, is this how many of you are handling endpoint authentication or should I look at MSCHAPv2 instead?

If you are using EAP-TLS, are you publishing your computer certificates to Active Directory? I am at the moment but I'm having trouble determining if that is a requirement?

I appreciate any input on this rather mundane topic.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: Common Endpoint Authentication Scenarios

I would say if you are only doing computer authentication which is very common if you trying to only answer the question "Is the attaching device a corporate asset" then PEAP computer authentication is the simplest way to go.  We have been using it as a standard for years. 

If you also require user information then you have a few options:

  1. EAP-TLS- probably the best way to do it, but you have to deal with the user first login issue, i.e. the supplicant is told to transition to user mode authentication but the user hasn't autoenrolled their certificate yet.
  2. PEAP User- by itself not great because you can't tell by they are still logged onto a corporate asset.  This opens up security risks by allowing users to bring in whatever type of device they want as long as they can pass AD user credentials.
  3. PEAP User + MAR- tie PEAP user with MAR cache.  Make sure you understand the caveats of MAR cache.
  4. PEAP User + profiling as corporate computer- user profiling to determine corporate computer, AD profiler, DHCP profiler, etc.
  5. PEAP  User + MAR + Profiling- combine MAR with profiling to cover the holes in each method.
  6. EAP-Chaining- requires the use of NAM and I don't believe is widely deployed, but could be wrong
  7. PEAP Computer  + CWA chaining- authenticate the computer and gather AD credentials via CWA portal
  8. PEAP Computer + Passive ID- if you only require user information to pass to other systems via pxGrid you could explore Passive ID techniques to gather user information while keeping active path computer only.

I am sure I missed some.

3 REPLIES 3
Cisco Employee

Re: Common Endpoint Authentication Scenarios

Its easier for the user if you manage the certificates and use TLS, its also more secure as you can revoke the certificate without compromising the users username/password credentials.

It would be considered best practice to try and use TLS

VIP Engager

Re: Common Endpoint Authentication Scenarios

I would say if you are only doing computer authentication which is very common if you trying to only answer the question "Is the attaching device a corporate asset" then PEAP computer authentication is the simplest way to go.  We have been using it as a standard for years. 

If you also require user information then you have a few options:

  1. EAP-TLS- probably the best way to do it, but you have to deal with the user first login issue, i.e. the supplicant is told to transition to user mode authentication but the user hasn't autoenrolled their certificate yet.
  2. PEAP User- by itself not great because you can't tell by they are still logged onto a corporate asset.  This opens up security risks by allowing users to bring in whatever type of device they want as long as they can pass AD user credentials.
  3. PEAP User + MAR- tie PEAP user with MAR cache.  Make sure you understand the caveats of MAR cache.
  4. PEAP User + profiling as corporate computer- user profiling to determine corporate computer, AD profiler, DHCP profiler, etc.
  5. PEAP  User + MAR + Profiling- combine MAR with profiling to cover the holes in each method.
  6. EAP-Chaining- requires the use of NAM and I don't believe is widely deployed, but could be wrong
  7. PEAP Computer  + CWA chaining- authenticate the computer and gather AD credentials via CWA portal
  8. PEAP Computer + Passive ID- if you only require user information to pass to other systems via pxGrid you could explore Passive ID techniques to gather user information while keeping active path computer only.

I am sure I missed some.

Beginner

Re: Common Endpoint Authentication Scenarios

Thanks, Paul. This helps get the ball rolling on user authentication.