Solved: The MAR feature has its own

lucasmarcel · ‎03-10-2015

I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.

The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.

I'd rather not have to deploy user and machine certificates.

All I want to do is allow access to the wireless network only if the device and the user are in AD.

It's such a simple scenario that I must be missing something.

Any suggestions are welcome. Thanks in advance for your comments.

Lucas

petenixon · ‎03-10-2015

It is possible to authenticate both user and machine, you can verify the computer account against an Active Directory (one method).

This document should help (Machine Authentication):

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/user/guide/acsuserguide/eap_pap_phase.html#28901

View solution in original post

jan.nielsen · ‎03-10-2015

In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.

Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.

View solution in original post

petenixon · ‎03-10-2015

It is possible to authenticate both user and machine, you can verify the computer account against an Active Directory (one method).

This document should help (Machine Authentication):

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/user/guide/acsuserguide/eap_pap_phase.html#28901

jan.nielsen · ‎03-10-2015

In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.

Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.

lucasmarcel · ‎03-24-2015

Thanks for your reply. I believe that you are correct and the EAP-Chaining is the solution.

Do you know what the "Enable machine authentication" check box does under "End User Authentication Settings" on the first tab of the Active Directory External Identity Store?

I would expect it to enforce machine authentication but this not the case.

jan.nielsen · ‎03-24-2015

I assume this is the way to enable the MAR feature.

lucasmarcel · ‎03-24-2015

The MAR feature has its own tab with a Enable Machine Access Restrictions check box, which makes me wonder what the other check box is for.

jan.nielsen · ‎03-25-2015

Maybe it will only authenticate users in AD, if that is not checked ? It's been a long time since a worked with ACS 5.x and AD

jan.nielsen · ‎03-25-2015

From the user guide table, i would say that this is just to allow ACS to authenticate machne accounts, besides user accounts.

petenixon · ‎03-25-2015

You will need to add the AD groups you need from External Identity Stores --> AD --> Directory Groups to authenticate against.

MUQ_1899_ · ‎05-12-2015

So the only way to achieve user AND machine authentication is to use Cisco ISE?

It cant be implemented with Microsoft NPS?

jan.nielsen · ‎05-12-2015

The only reliable method i would say is EAP-Chaining, which is not supported by NPS, and probably won't, since NPS is going to be discontinued.

lucasmarcel · ‎05-12-2015

I'm not familiar with Microsoft NPS.

Based on this ISE deployment guide: http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2014/CVD-CampusDot1XDesignGuide-AUG14.pdf

for user and machine authentication, you need:

User and machine certificates
ISE
EAP Chaining, which requires the use of Cisco AnyConnect Secure Mobility Client because the built-in 802.1x client does not send both certificates at once:

On page 112:“You have deployed both machine certificates and user certificates to Microsoft Windows workstations. However, only one of the certificates is used for authentication—the user certificate when a user is logged in and the machine certificate when one isn’t. EAP Chaining allows you to authenticate using both certificates by using the Cisco AnyConnect Secure Mobility Client 3.1.”

802.1x Wireless - Enforce user AND machine authentication