Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1140
Views
0
Helpful
3
Replies

Computer and user authentication

Go to solution
snir_orlanczyk
Level 1
Level 1

‎01-23-2019 12:56 AM

 

I have a client who is looking to deploy user+computer authentication, we need to verify that the computer is a domain device and set a dynamic VLAN based on the logged in user. I have used NAM with eap-chaining in other deployments, but it came with a price(there are a lot of issues with this driver, specially when trying to upgrade).

 

so my question is what is the best way to achieve this, but without using NAM with eap-chaining.

 

from the research i've done those are available option but i am not sure which one is better suited for us:

- dot1x + passiveID - it looks great on paper but i am not sure if passiveID can deliver as it seems pretty complex to trouble shoot

- implicit authentication with EAP-TLS - if we are using EAP-TLS with non-exportable user certs we can assume that this a domain computer. the problem here that cert auto enroll can be a bit tricky to deploy.

- MAR Caching - the ISE will "remember" the MAC address of a machine that has been authenticated and if a user authentication will come from the same MAC address ISE could assume that the user and computer are authenticated. seems like a simple solution, but pretty easy to crack(security wise) because all it takes is spoofing the MAC address of a domain computer and entering valid username+password.

 

Thank you,

Snir

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to snir_orlanczyk

‎01-23-2019 01:03 PM

Despite the challenges you have faced with AnyConnect, NAM is the best way to go about this as Mohammed al Baqari<> mentioned. You can always get them resolved with TAC. Having said that, using MAR Cache is not a bad idea too. If NAM is an absolute no go, I would strongly suggest you to look into this. With MAR Cache, a machine and a user authentication are done separately, however, a machine authentication cache is kept and can be used to validate a successful machine authentication after a successful user authentication and provide access accordingly. Starting 2.4 as my memory serves, you can have distributed MAR Cache among nodes in a node group. In previous versions, it used to be separate for each PSN.

Note that a successful machine authentication is tied to the end point and not the machine credentials themselves. If you have a wired and a wireless network authenticating against ISE, then the MAR cache entries for each NIC would be kept separate for a machine.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-23-2019 01:15 AM

Hi,

I don't recommend MAR and it has many issues associated with it. EAP-TLS
provides basically machine authentication not user authentication. Anyone
can login to the machine with any locally created account (for example an
account created by a virus or a worm and be used to login to the machine
and get network access). PassiveID is a level between dot1x and MAB and you
can use it but you are right regarding the troubleshooting.

If you are limited with cost, I suggest PassiveID as it fullfill the
requirements but still recommend to go to NAM with EAP-FAST.
0 Helpful

Go to solution
snir_orlanczyk
Level 1
Level 1
In response to Mohammed al Baqari

‎01-23-2019 02:08 AM

Hi,

 

Thanks for the help, regarding EAP-TLS, what if i configure my endpoints to computer or user, in that case it will always send the user certificate in a case where the user is logged in and because the cert is non exportable I can assume that the computer is part of the domain. and because we are using dynamic vlan assignment, the computer will not be in the prod VLAN until a user logs in and the computer sends the user cert.

 

regarding PassiveID, the solution i was talking about was using 802.1x machine authentication + passive ID for the user log in, and that way i know which user is logged in.

 

NAM does seem like the perfect solution for it, and it worked fine on that end, but we had so many issues with it when we were trying to upgrade anyconnect because we had issue with other modules like Posture.

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to snir_orlanczyk

‎01-23-2019 01:03 PM

Despite the challenges you have faced with AnyConnect, NAM is the best way to go about this as Mohammed al Baqari<> mentioned. You can always get them resolved with TAC. Having said that, using MAR Cache is not a bad idea too. If NAM is an absolute no go, I would strongly suggest you to look into this. With MAR Cache, a machine and a user authentication are done separately, however, a machine authentication cache is kept and can be used to validate a successful machine authentication after a successful user authentication and provide access accordingly. Starting 2.4 as my memory serves, you can have distributed MAR Cache among nodes in a node group. In previous versions, it used to be separate for each PSN.

Note that a successful machine authentication is tied to the end point and not the machine credentials themselves. If you have a wired and a wireless network authenticating against ISE, then the MAR cache entries for each NIC would be kept separate for a machine.
0 Helpful
Customers Also Viewed These Support Documents