cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5102
Views
10
Helpful
4
Replies

802.1x AD User and Machine authentication

nkingsbury
Level 1
Level 1

Hello,

Sorry that this has been asked a dozen times or more, but I can not find anything current that directly answers the question.

 

I am trying to authenticate users based on both AD user group and machine name or group using ISE 2.3. Machines are Windows 7, Windows 10 and MAC OS. At current, I am authenticating users based on their AD group, but this does nothing to prevent a user bringing in their own laptop and connecting to the internal network with their AD credentials.

 

I have found some solutions using MAR or the AnyConnect client, but neither of these are viable solutions, and those articles are from 2010-2013. I am hoping a solution has been developed over the past 5 years.

 

I have one line in my RADIUS logs, AD-Host-Resolved-Identities, that shows the computer name, but I can not find a rule in the policy set attributes for it. 

 

Any help would be much appreciated. 

2 Accepted Solutions

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni
Hi

Except MAR and EAP chaining, there's not a lot more ways.
You can authenticate machines using PEAP and then redirect to a portal to force users to type in their credentials (CWA chaining)


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

agrissimanis
Level 1
Level 1

You could try to profile your corporate assets, one example I have seen is to set a custom DHCP class identifier on your corporate laptops, then you can build a profiling policy which looks for that custom classID in the request and only authenticates the user if that custom classID is found.

You could also perform posture checks, looking for something specific form your corporate OS build (registry key, file, etc.) 

Another option would be to issue certificates to both users and computers and mark the certificates as not exportable. Then you would be quite certain that if the certificate is presented to ISE, it is coming from a corporate asset/user. But if you currently don't have PKI infrastructure set up in your organization, that would be a lot of work then.

I realize that none of these options are straightforward...just possible suggestions I was thinking about.

View solution in original post

4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni
Hi

Except MAR and EAP chaining, there's not a lot more ways.
You can authenticate machines using PEAP and then redirect to a portal to force users to type in their credentials (CWA chaining)


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

agrissimanis
Level 1
Level 1

You could try to profile your corporate assets, one example I have seen is to set a custom DHCP class identifier on your corporate laptops, then you can build a profiling policy which looks for that custom classID in the request and only authenticates the user if that custom classID is found.

You could also perform posture checks, looking for something specific form your corporate OS build (registry key, file, etc.) 

Another option would be to issue certificates to both users and computers and mark the certificates as not exportable. Then you would be quite certain that if the certificate is presented to ISE, it is coming from a corporate asset/user. But if you currently don't have PKI infrastructure set up in your organization, that would be a lot of work then.

I realize that none of these options are straightforward...just possible suggestions I was thinking about.

Thanks for the detailed response. I have been trying to do the machine cert + user auth method, but I must admit that my overall understanding of the cert process is a bit lacking. I have added our interal CA as a trusted source, but I am not entirely sure what cert the user machine passes to ISE or how to dictate that process. I have tri d exporting certs from ise, putting them on the machine and then setting the wireless profile to use it as the validation cert for the connection, but that has not worked.

 

This would generally be the sequence:

1. Upload your CA cert under the Trusted certificates in ISE and make sure you mark it as "Trust for client authentication and Syslog".

2. In ISE go to "Certificate Signing Requests" and generate a new CSR, select "EAP Authentication" as the intended purpose

3. Go to your CA and issue a new certificate for your ISE with the "Server authentication" purpose based on the CSR you generated

4. Go back to "Certificate Signing Requests" section in ISE and bind the CSR

5. Import CA cert into the client

6. Issue certificates to your clients, make sure the template has "Client authentication" as the purpose.

 

This is a very high level description, but that is generally the idea - client must present a certificate issued from CA that ISE trusts and ISE must present a certificate that client trusts.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: