Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1950
Views
20
Helpful
2
Replies

Dot1x User or Computer authetication only computer being authenticated.

Go to solution
n-russell-biggie
Level 1
Level 1

‎12-04-2020 01:46 AM

Hello,

We have an ISE solution that we are trying to configure in conjunction with the windows native supplicant for machine authentication and user authentication.

I am able to get a PC to authenticate with its certificate fine. My policy should authorize the computer in the first line and give it a DACL which all works fine. The next line in my policy states that if the computer was authenticated and the user login is in AD then authorize. This does not work. It appears that when I log into the PC the switch does not receive any further radius traffic for ISE and we see no logs in ISE stating that the user has been authorized  or not. We have the supplicant set to user or computer authentication.

 
 

I have attached screenshot of ISE policy. ISE-policy.PNG

Any help would be great.

Thanks

Nick

 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎12-04-2020 02:09 AM

With the "Network Access" condition you rely on the MAR cache. Is that enabled and are you aware of all the problems that are involved with MAR cahes? And is that what you really need, that you tie a user-authentication to a previous machine-authentication?

If not, just remove the "Network Access" condition. As a beginning I would go that way.

If you need that, and your clients are already Windows10 version 2004, then move to TEAP authentication. If you can not move to TEAP, using the AnyConnect NAM could also be possible.

View solution in original post

2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎12-04-2020 02:09 AM

With the "Network Access" condition you rely on the MAR cache. Is that enabled and are you aware of all the problems that are involved with MAR cahes? And is that what you really need, that you tie a user-authentication to a previous machine-authentication?

If not, just remove the "Network Access" condition. As a beginning I would go that way.

If you need that, and your clients are already Windows10 version 2004, then move to TEAP authentication. If you can not move to TEAP, using the AnyConnect NAM could also be possible.

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎12-04-2020 05:05 AM - edited ‎12-04-2020 05:06 AM

To add additional information/things to consider: NAM can lead to additional admin overhead simply due to the fact of needing to manage the software deployment, upgrades, & user education.  In my experience it works great in regard to utilizing eapchaining for user+comp auth, but it definitely takes some time to get used to it.  Some would argue that the security benefits outweigh the admin overhead that I alluded to.  Also, I have yet to test using TEAP with the native supplicant, but typically relying on the native supplicant in general is much easier than using NAM.  Something else to note is that if you wish to test/use TEAP you will need to be running ISE 2.7 at a minimum as other versions do not support it.  

 

See these links for further guidance:

Using TEAP for EAP Chaining – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

EAP Chaining with Cisco ISE – integrating IT (wordpress.com)

 

HTH!

Customers Also Viewed These Support Documents