Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1120
Views
0
Helpful
8
Replies

Authentication using username-password/certificates by ISE

Go to solution
raksec
Cisco Employee
Cisco Employee

‎05-20-2019 12:49 AM

Hello,

 

We have a use case where users should be authenticated by username-password/certificates both simultaneously for Windows/Mac. Is this possible?

 

Thanks,

Rakesh Kumar

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to raksec

‎05-20-2019 08:03 AM

Supplicants only send 1 or the other at a time. You can do machine auth before login and then user auth upon login (windows). Please explain further why and how

View solution in original post

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to raksec

‎05-22-2019 09:57 AM

Jason already answered. ASA supports multiple authentications combining with user/machine certificate for remote-access VPN connections while ISE is supporting mostly single authentications, except for EAP chaining and CWA chaining for wired and wireless.

I agreed with Mike.Cifelli that using MFA, such as smart cards (e.g. CAC cards), is the way to go.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-20-2019 05:09 AM

Please explain further your exact needs and why:
We already have EAP chaining for windows that ties together machine and user credentials with Anyconnect NAM
For Mac and windows You can do machine certificates with CWA chaining


0 Helpful

Go to solution
raksec
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎05-20-2019 05:13 AM

Not talking about EAP-chaining which combines user/machine authentication. Here is the use case:

 

  • Authenticating users by using password and certificates both simultaneously for windows/mac.
  • Authenticating machines by using password and certificates both simultaneously for windows/mac.
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to raksec

‎05-20-2019 06:05 AM

You have several security protocols that you can use to accomplish either/or. From a security standpoint you are better off using certificates with eap-tls. Why couldnt you enforce CAC authentication to the domain that authenticates the user based on user principal name, and then implement NAM to auth the computer via certificate and the user either with cert or common access card.
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to raksec

‎05-20-2019 08:03 AM

Supplicants only send 1 or the other at a time. You can do machine auth before login and then user auth upon login (windows). Please explain further why and how
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Jason Kunst

‎05-20-2019 08:55 AM

If that is directed at me I missed the simultaneously piece. However, if there are already solutions available to auth both users & comps via certificates I dont see a benefit to adding username/pass. Just my opinion. Regardless, I dont know enough about the requirements to provide more details.
0 Helpful

Go to solution
raksec
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎05-21-2019 01:20 AM

Guys, 

 

First of all, my use case is not related to EAP-chaining. This is similar to what works for anyconnect where ASA validates the user's certificate first, then checks with RADIUS server to validate user's password. 

 

Let me try again to explain the customer's requirement again.

 

User 'John' has a corporate laptop. For instance, keep laptop authentication out of this. When John tries to connect to network, he should be authenticated by his password as well as certificate provided to him. ISE should be able to validate both types of credentials.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to raksec

‎05-22-2019 09:57 AM

Jason already answered. ASA supports multiple authentications combining with user/machine certificate for remote-access VPN connections while ISE is supporting mostly single authentications, except for EAP chaining and CWA chaining for wired and wireless.

I agreed with Mike.Cifelli that using MFA, such as smart cards (e.g. CAC cards), is the way to go.

0 Helpful

Go to solution
raksec
Cisco Employee
Cisco Employee
In response to hslai

‎05-22-2019 09:01 PM

Understood, thank you all.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents