Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
623
Views
5
Helpful
3
Replies

Benefits of using both certs & user-auth?

Go to solution
CSCO10662744_2
Level 1
Level 1

‎05-11-2016 06:30 AM - edited ‎03-10-2019 11:45 PM

Is it true that if both certs & username/password are needed, the AnyConnect supplicant is required to support it?

If we're using certs, don't we already identify that individual user, so what are the benefits, to also require username/password on top of it?

If only certs are used, would the auth entries in ISE just show up w/ the cert names? If that's the case, should we use a cert naming convention that's easy to identify who the user is?
If username/password is used in addition to certs, would we be able to see the username in the ISE logs, w/o relying on a good naming convention?

TIA

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎05-12-2016 12:00 PM

When you are doing certificate based authentication (EAP-TLS or EAP-PEAP-TLS) then during the authentication stage, ISE only confirms the validity of the certificate. During the authorization stage, ISE can check with AD and confirm that the identity tied to that certificate is valid and not disabled. 

Now, if you want to perform both machine and user authentication then you will have to use AnyConnect and perform what is called EAP-Chaining (EAP-TEAP). Now, keep in mind that this solution only works for Windows based machines.

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎05-12-2016 12:00 PM

When you are doing certificate based authentication (EAP-TLS or EAP-PEAP-TLS) then during the authentication stage, ISE only confirms the validity of the certificate. During the authorization stage, ISE can check with AD and confirm that the identity tied to that certificate is valid and not disabled. 

Now, if you want to perform both machine and user authentication then you will have to use AnyConnect and perform what is called EAP-Chaining (EAP-TEAP). Now, keep in mind that this solution only works for Windows based machines.

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

Go to solution
CSCO10662744_2
Level 1
Level 1
In response to nspasov

‎05-12-2016 12:31 PM

Thank you for your reply.

Do you see many people use EAP chaining?
What are the benefits of it? It seems to add some complexity to the solution.

If we only deploy cert-based auth, would we be able to identify the user in the ISE logs?
For example, can I just search for "jsmith" for the auth entries, or would I need to know the name of the cert assigned to the user?

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to CSCO10662744_2

‎05-12-2016 02:32 PM

No problem!

#1) No, I have only had 1 customer that deployed EAP-Chaining. We generally recommend against and to always try using the native supplicant

#2) Yes and No. It would really depend on how is the certificate generated and what ISE is set to check for certificate username. For instance, if the certificate template is set to use the AD Username for the CN (Common Name), then you can configure ISE to use the CN as the Principle Username. As a result, the AD username will show up in the ISE logs. That will also enable you to create an authorization policy that can check and confirm that:

1. A particular user is a member of a certain AD group

2. The user account is not disabled

Thank you for rating helpful posts!

Thank you for rating helpful posts!
Customers Also Viewed These Support Documents