Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
580
Views
5
Helpful
9
Replies

Machine and User Authentication with Win Native Supplicant

fatalXerror
Level 5
Level 5

‎03-19-2019 06:48 AM - edited ‎03-19-2019 06:54 AM

Hi,

It seems that I will be using native supplicant for my machine and user authentication because of licensing with AnyConnect NAM.

Anyway, based on the design, once a successful machine authentication the endpoint will be placed into a machine VLAN (like a landing VLAN which have a limited access) then once a successful user authentication, the endpoint will be placed into the user VLAN which has access for everything.

Here is my concern, I believed that ISE does not send CoA after user authentication meaning, the endpoint is still in the machine VLAN with the same IP. How to overcome this scenario? Or what should be the best approach for this one?

Thanks

0 Helpful
9 Replies 9

paul
Level 10
Level 10

‎03-19-2019 07:27 AM

Doing a VLAN switch after the initial connection is always tough and something I wouldn't attempt.  If you really set on trying it you could do an autosmart port that would bounce the port, but then you are going to disconnect the phone if there is one. 

 

What is the purpose of changing VLANs?  The concept of VLANs for security is a bit dated (although still used heavily).  You can push DACLs, SGT tags, etc. to grant different levels of access without relying on VLAN changes.

0 Helpful

fatalXerror
Level 5
Level 5
In response to paul

‎03-19-2019 09:14 PM

Hi @paul ,

It is just to simplify the use of ISE for operation purposes, the client wants to have it after a successful machine authentication to put it into a machine vlan with limited access then after a successful user authentication, put it in user vlan with full access.

Any other ways other than using auto-smart port to address my concern?

Thanks

0 Helpful

paul
Level 10
Level 10
In response to fatalXerror

‎03-20-2019 05:13 AM

I don't think the auto smart port macro will work well in this case.  Part of our job as ISE consultants is to advise customers on best practices and help them avoid bad designs.  What you just describes is a bad design in my opinion and I wouldn't let one of my customers go down this path.

 

If the device does correct computer authentication it is has proven that it is a corporate asset.  Why place it in a VLAN with limited access?  If they want to do some restrictions use a DACL.

Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-20-2019 05:37 AM

I agree with @paul. I think your better option is to explain the benefits to them of using Anyconnect NAM module. One of the major benefits is the ability to use eap-chaining via eap-fast. Using this will allow you to move computers/users into different subnets or apply separate dacls like Paul mentioned. There is a really nice condition you can use in authz policies known as eapchainingresult, which can drive policy based on computer pass + user fail, user pass + computer fail, and user/comp pass. I would push for this. Unfortunately, as far as I know the Windows native supplicant does not support eap-fast or the industry standard eap-teap that would give you the ability to use eap-chaining.
0 Helpful

fatalXerror
Level 5
Level 5
In response to Mike.Cifelli

‎03-20-2019 07:47 AM

hi @Mike.Cifelli , I agree with that also and at first I suggested anyconnect NAM but upon checking, the anyconnect 4.x needs now license even if I will just use the NAM module.

0 Helpful

paul
Level 10
Level 10
In response to fatalXerror

‎03-20-2019 07:55 AM

Why does the customer need to go to User authentication?  Many customers just want to make sure the device that is connecting is a corporate asset.  PEAP Computer authentication tells you that.  If you don't have differentiated user access policies or aren't feeding user information to pxGrid connected systems then there is no reason to go to user mode authentication.

0 Helpful

fatalXerror
Level 5
Level 5
In response to paul

‎03-20-2019 08:00 AM

Hi @paul , they have user differentiated access.

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to fatalXerror

‎03-20-2019 09:15 AM

@fatalXerror I think from a security perspective you get an extra layer if you have the ability to quarantine actual users too instead of just computers objects. Obviously there are many ways to skin the cat here. @paul makes some good points. If user authentication is a must then they should understand that you will need to spend money on the appropriate licenses to run NAM.
0 Helpful

fatalXerror
Level 5
Level 5
In response to Mike.Cifelli

‎04-02-2019 03:38 AM

@Mike.Cifelli, I was able to convinced the admin about the limitation of the MAR and now we will just be using machine authentication to determine organizational asset.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents