cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2776
Views
5
Helpful
11
Replies
Highlighted
Beginner

802.1x Wireless - Enforce user AND machine authentication

I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.

The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.

I'd rather not have to deploy user and machine certificates.

All I want to do is allow access to the wireless network only if the device and the user are in AD.

It's such a simple scenario that I must be missing something.

Any suggestions are welcome. Thanks in advance for your comments.

Lucas

 

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Participant

It is possible to

It is possible to authenticate both user and machine, you can verify the computer account against an Active Directory (one method).

This document should help (Machine Authentication):

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/user/guide/acsuserguide/eap_pap_phase.html#28901

 

 

View solution in original post

Highlighted
Rising star

In my opinion, the only

In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.

Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.
 

View solution in original post

11 REPLIES 11
Highlighted
Participant

It is possible to

It is possible to authenticate both user and machine, you can verify the computer account against an Active Directory (one method).

This document should help (Machine Authentication):

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/user/guide/acsuserguide/eap_pap_phase.html#28901

 

 

View solution in original post

Highlighted
Rising star

In my opinion, the only

In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.

Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.
 

View solution in original post

Highlighted
Beginner

Thanks for your reply. I

Thanks for your reply. I believe that you are correct and the EAP-Chaining is the solution.

Do you know what the "Enable machine authentication" check box does under "End User Authentication Settings" on the first tab of the Active Directory External Identity Store?

I would expect it to enforce machine authentication but this not the case.

Highlighted
Rising star

I assume this is the way to

I assume this is the way to enable the MAR feature.

Highlighted
Beginner

The MAR feature has its own

The MAR feature has its own tab with a Enable Machine Access Restrictions check box, which makes me wonder what the other check box is for.

Highlighted
Rising star

Maybe it will only

Maybe it will only authenticate users in AD, if that is not checked ? It's been a long time since a worked with ACS 5.x and AD

Highlighted
Rising star

From the user guide table, i

From the user guide table, i would say that this is just to allow ACS to authenticate machne accounts, besides user accounts.

 

Highlighted
Participant

You will need to add the AD

You will need to add the AD groups you need from External Identity Stores --> AD --> Directory Groups to authenticate against.

Highlighted
Beginner

So the only way to achieve

So the only way to achieve user AND machine authentication is to use Cisco ISE?

It cant be implemented with Microsoft NPS?

Highlighted
Rising star

The only reliable method i

The only reliable method i would say is EAP-Chaining, which is not supported by NPS, and probably won't, since NPS is going to be discontinued.

Highlighted
Beginner

I'm not familiar with

I'm not familiar with Microsoft NPS.

Based on this ISE deployment guide: http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2014/CVD-CampusDot1XDesignGuide-AUG14.pdf

for user and machine authentication, you need:

  1. User and machine certificates
  2. ISE
  3. EAP Chaining, which requires the use of Cisco AnyConnect Secure Mobility Client because the built-in 802.1x client does not send both certificates at once:

On page 112:“You have deployed both machine certificates and user certificates to Microsoft Windows workstations. However, only one of the certificates is used for authentication—the user certificate when a user is logged in and the machine certificate when one isn’t. EAP Chaining allows you to authenticate using both certificates by using the Cisco AnyConnect Secure Mobility Client 3.1.”