802.1x EAP TLS authentication for workgroup user versus Domain user

anilkumar.cisco · ‎04-28-2021

Hello Team,

We have 802.1x authentication and authorization profile for Domain users..

and things are working perfectly..

Policy set :- profile have : Network Access: EAPAuthentication= equal EAP-TLS

AND Certificate Issuer-CONTAINS (root domain name)

Authentication profile has:

Network Access: EAPAuthentication= equal EAP-TLS

AND Certificate Issuer-CONTAINS (root domain name) and Uses

Certificate Authentication Profile

Authorization profile:- checking the same thing and putting it into the required group and giving access..

The issue is that..

when I broke the domain user machine and put it into work group.. but still that workgroup user is able to authenticate on the secure port.

Was thinking that.. if the computer will remove from the domain then it would be not getting authenticated as I am doing 802.1x with the client ceritificate profile binary comparison , which will check the live user in AD group as well.

I am doing EAP-TLS authentication.. so that means that.. any one who would be having client site certification and valid AD user name and password could be able to login to my secure network..

Or Cisco ISE is maintaining this thing on there cache.. somewhere.. thats why it is allowing to authorized as 802.1x clietn..

i am not doing any machine authentication.. only client site certificate is matching..

Kindly advise.. I am bit confuse..

Damien Miller · ‎04-28-2021

This would be the behavior I expect would happen if the user continues to log in with the same user profile they did before the machine left the domain. The certificate the user profile has on the machine would still valid because it is independent of the machine. It required the user to be able to connect to the domain to provision, but once provisioned, that user and user certificate are valid.

Look at the live logs, I imagine your still seeing the valid user certificate in the authentication details. Look at the machine, open up mmc.exe and map the certificate manager, open the user certificate store and look if the valid certificate is still present.

anilkumar.cisco · ‎04-28-2021

so , in this sense .. any one who would take valid client certificate on there laptop or steal valid customer certificate and having AD credential , would be able to connect into the customer network ??

Pls advise..

hslai · ‎04-29-2021

I think that is the reason to store certificates on smart cards -- smartcards storing certificates to personal user store and not removing them

anilkumar.cisco · ‎04-29-2021

so , if smartcard also store the certificate in Personal user store.. then my problem will be remain the same..

Because once i will break the domain PC to work group.. then also.. the smartcard certificate which is there in user Personal store would be still valid.. and he is able to get authenticated to secure port as domain user but in reality. that is not domain user..

Let me know if my understanding is correct..

And if i will steal the Smartcard certificate by importing and having AD user name and password.. then could be able to login to the Customer Secure network..

Pls advise.

hslai · ‎04-30-2021

AFAIK the middleware of the smart cards shall ensure the private keys not left behind.

The access to smart cards are often protected by another factor (e.g. PIN).