Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5240
Views
24
Helpful
6
Replies

Certificate based authentication with EAP chaining

Go to solution
sqambera
Level 1
Level 1

‎04-04-2016 02:34 PM - edited ‎03-10-2019 11:38 PM

Hi everyone,

My question is about EAP-TLS and EAP Chaining. I know EAP-TLS is used for certificate based authentication. I am thinking of using it with EAP Chaining which employees both machine and user authentication. So if we use EAP-TLS with EAP chaining, would it mean that ISE will validate user certificate as well as machine certificate? I am not even sure whether there is anything which is called user certificate. Not a Microsoft guy.

My second question is that is there a way that we could use simultaneously both certificate and username/password for authentication?

I'd highly appreciate any explanation or reference document that could help to clarify my concept about it.

Thanks,

Qamber

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7
In response to sqambera

‎04-06-2016 08:24 AM

Yes, with EAP-Chaining you can do both machine and user certificate authentication at the same time.

Yes, you can use EAP-TLS and PEAP/MSCHAPv2 also in the same authentication, this is whats special about EAP-Chaining, and why it's requires anyconnect nam. When you define your anyconnect configuration, you will be asked if you wan't to do user, machine or user and machine authentication, and you will get two seperate config settings, one for user and one for machine, and you can select any EAP method in those, they don't have to be the same.

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

View solution in original post

6 Replies 6

Go to solution
jan.nielsen
Level 7
Level 7

‎04-05-2016 08:46 AM

So first off, EAP-Chaining requires anyconnect nam installed, and is windows only. Windows has a concept of a user and a machine, which have different credentials. EAP-Chaning allows you to tunnel EAP-TLS or PEAP thorugh EAP-Chaining (actually it's technically EAP-FAST).

So EAP-Chaining allows you to bind your machine identity and your user identity together in an ISE policy, so you can see what user is logged in, to which machine, and ensure that only valid machines can be used to log in as a user. EAP-Chaning also allows for different eap types in the same authentication, which means you can use EAP-TLS for machine certificate authentication, combined with PEAP/AD user login. In ISE, you can then use the attribute EAPchaingresult, to make check if the authentication has passed both user and machine login. Hope that answers some of your questions.

Go to solution
sqambera
Level 1
Level 1
In response to jan.nielsen

‎04-05-2016 11:53 AM

Many thanks Jan for your reply. Its really helpful.

So based on description about EAP chaining and that you said "you can use EAP-TLS for machine certificate authentication", does it mean that through EAP chaining in EAP-TLS, ISE can check both machine and user certificate in same authentication?

I understand from your response that answer to my second question whether or not we can use certificate based authentication (EAP-TLS) with AD username/password for authentication together is yes. But I am not sure how it would be done because outer protocols like PEAP or EAP-FAST select internal EAP type like either MD5, MSCHAP or EAP-TLS. So would it be like we select both EAP-TLS and MSCHAP in EAP-FAST/PEAP? 

Thanks again,

Qamber

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to sqambera

‎04-06-2016 08:24 AM

Yes, with EAP-Chaining you can do both machine and user certificate authentication at the same time.

Yes, you can use EAP-TLS and PEAP/MSCHAPv2 also in the same authentication, this is whats special about EAP-Chaining, and why it's requires anyconnect nam. When you define your anyconnect configuration, you will be asked if you wan't to do user, machine or user and machine authentication, and you will get two seperate config settings, one for user and one for machine, and you can select any EAP method in those, they don't have to be the same.

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

Go to solution
sqambera
Level 1
Level 1
In response to jan.nielsen

‎04-06-2016 08:43 AM

Thanks Jan. I appreciate your time and effort to answer my questions.

0 Helpful

Go to solution
jju
Level 1
Level 1
In response to jan.nielsen

‎01-23-2018 01:13 PM

Hi Jan.

 

Is it possible to do the same with mac computers? (With the NAM module

 

They do have a computer store, and it is possible to install both a Computer and a User certificate on them.

0 Helpful

Go to solution
andy!doesnt!like!uucp
Spotlight
Spotlight
In response to sqambera

‎09-24-2021 12:26 PM

u cant authenticate the same entity (f.e. user) with different approaches (f.e. EAP-TLS or MSCHAPv2) simultaneously. it's senseless. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents