Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
611
Views
0
Helpful
1
Replies

Best Method for both Machine and User Authentication on Cisco ISE AuthZ Policy

Go to solution
edwardonelife
Level 1
Level 1

‎12-06-2016 12:32 PM - edited ‎03-11-2019 12:16 AM

Hi,

Apart from MAR and EAP Chaining, what other methods/work arounds are there for ensuing employees access the network from domain joined computers only when using EAP-TLS?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-07-2016 05:21 PM

Hi there! Just to confirm: Is your requirement:

1. For dual factor authentication (User+machine)?

2. Prevent non-domain joined machines from accessing the network?

If it is #1, then I would suggest exploring a "chaining" method. One of those can be EAP-Chaining, however, to use that method you will also need to deploy and rely on the Cisco AnyConnect NAM module. Also, this method only works for Windows machines and it is not supported on MACs, Linux and Mobile. You can also do PEAP with CWA chaining. With this method, your first method of authentication is PEAP with machine authentication. After that authentication is successful the user would be redirected to the Web Portal in ISE where he/she would have to enter domain user based credentials before access to the network is given.

If it is #2, then I would suggest to simply use PEAP with machine based authentication. That way only domain joined machines would be allowed to successfully authenticate and authorize on the network. The main caveat here is to ensure that your AD environment is well secured as I think by default any domain user can join up to 10 machines to the domain. So, if AD is locked down properly then using PEAP with machine authentication is the way to go. 

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!

View solution in original post

0 Helpful
1 Reply 1

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-07-2016 05:21 PM

Hi there! Just to confirm: Is your requirement:

1. For dual factor authentication (User+machine)?

2. Prevent non-domain joined machines from accessing the network?

If it is #1, then I would suggest exploring a "chaining" method. One of those can be EAP-Chaining, however, to use that method you will also need to deploy and rely on the Cisco AnyConnect NAM module. Also, this method only works for Windows machines and it is not supported on MACs, Linux and Mobile. You can also do PEAP with CWA chaining. With this method, your first method of authentication is PEAP with machine authentication. After that authentication is successful the user would be redirected to the Web Portal in ISE where he/she would have to enter domain user based credentials before access to the network is given.

If it is #2, then I would suggest to simply use PEAP with machine based authentication. That way only domain joined machines would be allowed to successfully authenticate and authorize on the network. The main caveat here is to ensure that your AD environment is well secured as I think by default any domain user can join up to 10 machines to the domain. So, if AD is locked down properly then using PEAP with machine authentication is the way to go. 

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful
Top