03-23-2015 12:44 PM - edited 03-10-2019 10:34 PM
Hi
I want to find out if its possible on ISE dot1x implementation to authenticate domain machines using EAP-TLS (certificate) and after successful authentication, authorize the user using AD domain users. I cant seem to get this to work, the ISE just skips the authorization policy which I created to reference AD.
It seems you can only authenticate and authorize with the same parameter which i was able to achieve using MSCHAP-V2.
My aim is to authenticate the connecting PC using internal CA and further authorize the users using AD membership.
Thanks
Solved! Go to Solution.
03-27-2015 09:11 AM
Although EAP Fast and the EAP chaining are not proprietary to Cisco, AnyConnect is the only supplicant that I am aware of that currently supports the feature.
The only other option that I tell you is using machine access restrictions MAR, but I would highly recommend against this unless the customer is aware of the caveats associated with MAR. With MAR the supplicant is configured to use "user or computer" When the user is logged off the device authenticates using the computer's account. When the user logs in the supplicant starts the authentication process over using the user credentials. With MAR ISE first verifies that the machine authenticated before the user. If not then the user is not authorized to connect. The issue is that if the device goes into hibernation instead of logging off the user may fail to authenticate because ISE doesnt see the computer auth.
EAP chaining is the answer to MAR's shortfalls. This is because the computer and the user authenticate together everytime.
If their goal is to ensure that the device is a corporate owned device then you can always consider posture as a means to ensure that. You can have a registry entry, or file on the computer that signifies that the device is a corporate owned device. You would still need to install the posture agent and this would change the licensing requirements where as eap chaining is included in the base licensing and doesn't require plus or apex.
The other outside of the box idea that i have seen is to use GPO to change the LAN NIC's name
to something like "Corporate LAN" and then using profiling you can create a custom profile that matches. See pages 91-114 there are several options listed including the ones I've already mentioned.
http://d2zmdbbm9feqrf.cloudfront.net/2015/anz/pdf/BRKSEC-3697.pdf
03-23-2015 02:25 PM
This can be accomplished using EAP-Chaining and AnyConnect.
It may not specify it in the document but you can use different inner methods for the Machine and User authentication.
http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-80-EAPChaining_Deployment.pdf
03-27-2015 07:53 AM
Hi Justin,
Thanks for the response. Ive been reading about EAP chaining but my challenge is that customer doesnt want to deploy anyconnect supplicant.
Can you categorically state if this can be achieved with windows 7/8 native supplicant?
If yes, do you have an idea of the NIC setting?
Thanks
03-27-2015 09:11 AM
Although EAP Fast and the EAP chaining are not proprietary to Cisco, AnyConnect is the only supplicant that I am aware of that currently supports the feature.
The only other option that I tell you is using machine access restrictions MAR, but I would highly recommend against this unless the customer is aware of the caveats associated with MAR. With MAR the supplicant is configured to use "user or computer" When the user is logged off the device authenticates using the computer's account. When the user logs in the supplicant starts the authentication process over using the user credentials. With MAR ISE first verifies that the machine authenticated before the user. If not then the user is not authorized to connect. The issue is that if the device goes into hibernation instead of logging off the user may fail to authenticate because ISE doesnt see the computer auth.
EAP chaining is the answer to MAR's shortfalls. This is because the computer and the user authenticate together everytime.
If their goal is to ensure that the device is a corporate owned device then you can always consider posture as a means to ensure that. You can have a registry entry, or file on the computer that signifies that the device is a corporate owned device. You would still need to install the posture agent and this would change the licensing requirements where as eap chaining is included in the base licensing and doesn't require plus or apex.
The other outside of the box idea that i have seen is to use GPO to change the LAN NIC's name
to something like "Corporate LAN" and then using profiling you can create a custom profile that matches. See pages 91-114 there are several options listed including the ones I've already mentioned.
http://d2zmdbbm9feqrf.cloudfront.net/2015/anz/pdf/BRKSEC-3697.pdf
03-27-2015 01:41 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide