Re: Cisco ISE EAP chaining and Multi-factor Authentication NIST 171 3.5.3

WilliamCosner · ‎12-28-2020

I am trying to assess compliance with NIST SP800-171r2 control for Multi factor Authentication (3.5.3). Our client is using Cisco ISE and is using the EAP chaining to authenticate the device using a device and a user certificate. I have read the white paper titled Cisco ISE_How-To_82_Deploy_EAP_Chaining, but I do not see where in the process that the user certificate itself is actually activated by a PIN or password. I see it is validated as existing, but for the purposes of the NIST 171 control, the certificate must be unlocked by some mechanism (such as how a TPM is unlocked to expose the certificate contained for Windows Hello). And how does this process work for unlocking a computer that has been in screensaver timeout mode? The process described in the article is more in line with the NAC requirement of control 3.1.1. So, how is Cisco meeting the MFA requirement (3.5.3) for standard user logins?

Mike.Cifelli · ‎12-28-2020

This is a good question. I am going to provide info that hopefully helps as the exact answer IMO depends on how the clients are setup to onboard. Also, I am under the assumption that your client is using AnyConnect NAM (network access manager) to utilize EAP-Fast to accomplish eap-chaining. I say this because builtin native supplicant support for TEAP just recently started earlier this year. Note that in order to accomplish eap-chaining via the native supplicant you need to be running ISE 2.7 with Win10 build 2004.

With NAM you have the ability to utilize eap-chaining with a few different user credentials options. Those options include single sign on, prompt for credentials (remember forever, remember while user is logged on, never remember), or via static credentials. These scenarios are configured with the AnyConnect profile editor which creates an XML profile that contains settings on how NAM should handle authentication.

Upon triggering authentication to properly onboard to your client's network the user is either prompted to select certificate (if setup for this), or your net admin may have setup certificate matching rules in your xml profile which would automatically select the appropriate cert and prompt for pin. Note that via NAM profile you can configure it to never remember pin (always prompt), remember while user is logged on, or remember forever. Obviously this would/will play a role in what you may see from a client when testing/trying to understand the workflow.

As far as unlocking the computer there is the ability to enable port exceptions via the profile I have mentioned that would allow data traffic before authentication. You can also configure NAM to "attempt connection" before user logon which would attempt to onboard prior to getting to the desktop.

My recommendation would be to get with your network team so that they can explain how the workflow is setup in your environment. Lastly, you can see the client NAM profile here: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system\configuration.xml

HTH!

WilliamCosner · ‎12-28-2020

Thanks Mike. I am assessing as an invited third party, so the network isn't mine. I'll post the process the client is using for authentication. I do not believe the user certificate just being acknowledged by ISE is a true second form of user authentication because it does not pair the certificate with a PIN to unlock it, although I am willing to admit I am wrong. Anyway, here's their summarized authentication process:

1. PC boots
2. Operating System loads
3. OS queries DNS for where to find the domain
4. The computer object is authenticated to Active Directory (LDAP/Kerberos).
5. The PC pulls computer-based Group Policies (GPOs)
6. The legal notice must be acknowledged by clicking OK
7. The logon screen appears
8. The user initiates logon via entering a password (1st Factor)
9. Standard Windows logon authenticates the credential using a cached credential stored on the computer and allows logon to the local computer.
a. A user based MSPKI certificate is already present and installed in the user's Certificate Store.
10. The desktop loads
11. The AnyConnect client loads and executes a network authentication to Cisco ISE
a. Cisco ISE expects a device based MPKI certificate to be presented for authentication
b. Cisco ISE then expects a user based MSPKI certificate to be presented (2nd factor)
12. Cisco ISE accepts both factors and issues an IP address to the computer

I'm not seeing how merely presenting a certificate is a second factor without the certificate requiring a PIN or password itself, but again, I welcome correction.

WilliamCosner · ‎12-30-2020

Anyone else have any info that can help me better understand the certificate's role in ISE's 2nd factor of authentication?

Greg Gibbs · ‎01-12-2021

EAP Chaining is not a form of 2FA/MFA, nor is it intended to be. It is simply a mechanism used to tie the user and computer credentials together to allow differentiation of a corp user using a corp machine vs. a corp user using a non-corp machine (like a BYO device).

The user logging into the computer with AD credentials is authenticating to the domain. The certificate presented to the RADIUS server via EAP-TLS is authenticating to the network. Both of these processes would be considered single-factor. If you need true 2FA/MFA, you would need to add the use of a CAC (Common Access Card) or another MFA solution.

The process steps you listed below are also not entirely accurate. See Machine Authentication and User Authentication for more information on how the Windows supplicant works.