
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2019 12:56 AM
I have a client who is looking to deploy user+computer authentication, we need to verify that the computer is a domain device and set a dynamic VLAN based on the logged in user. I have used NAM with eap-chaining in other deployments, but it came with a price(there are a lot of issues with this driver, specially when trying to upgrade).
so my question is what is the best way to achieve this, but without using NAM with eap-chaining.
from the research i've done those are available option but i am not sure which one is better suited for us:
- dot1x + passiveID - it looks great on paper but i am not sure if passiveID can deliver as it seems pretty complex to trouble shoot
- implicit authentication with EAP-TLS - if we are using EAP-TLS with non-exportable user certs we can assume that this a domain computer. the problem here that cert auto enroll can be a bit tricky to deploy.
- MAR Caching - the ISE will "remember" the MAC address of a machine that has been authenticated and if a user authentication will come from the same MAC address ISE could assume that the user and computer are authenticated. seems like a simple solution, but pretty easy to crack(security wise) because all it takes is spoofing the MAC address of a domain computer and entering valid username+password.
Thank you,
Snir
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2019 01:03 PM
Note that a successful machine authentication is tied to the end point and not the machine credentials themselves. If you have a wired and a wireless network authenticating against ISE, then the MAR cache entries for each NIC would be kept separate for a machine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2019 01:15 AM
I don't recommend MAR and it has many issues associated with it. EAP-TLS
provides basically machine authentication not user authentication. Anyone
can login to the machine with any locally created account (for example an
account created by a virus or a worm and be used to login to the machine
and get network access). PassiveID is a level between dot1x and MAB and you
can use it but you are right regarding the troubleshooting.
If you are limited with cost, I suggest PassiveID as it fullfill the
requirements but still recommend to go to NAM with EAP-FAST.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2019 02:08 AM
Hi,
Thanks for the help, regarding EAP-TLS, what if i configure my endpoints to computer or user, in that case it will always send the user certificate in a case where the user is logged in and because the cert is non exportable I can assume that the computer is part of the domain. and because we are using dynamic vlan assignment, the computer will not be in the prod VLAN until a user logs in and the computer sends the user cert.
regarding PassiveID, the solution i was talking about was using 802.1x machine authentication + passive ID for the user log in, and that way i know which user is logged in.
NAM does seem like the perfect solution for it, and it worked fine on that end, but we had so many issues with it when we were trying to upgrade anyconnect because we had issue with other modules like Posture.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2019 01:03 PM
Note that a successful machine authentication is tied to the end point and not the machine credentials themselves. If you have a wired and a wireless network authenticating against ISE, then the MAR cache entries for each NIC would be kept separate for a machine.
