Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
957
Views
0
Helpful
2
Replies

EAP-Chaining - Machine PAC to client - is it rechecked against AD?

Go to solution
cpaquet
Level 1
Level 1

‎03-31-2020 02:33 PM

When ISE received the Machine-PAC, does it check with AD that this workstation is still authorized on the network?

 

I got this question today:

When EAP-FAST with EAP-Chaining is used, ISE sends a Machine-PAC following a successfully machine AuthC. 

Let's say the user walks away from his computer, without having log in.  The computer is still at the GINA screen. 

Meanwhile, AD admin revokes this workstation - removes it from AD/COMPUTERS.

When the user gets back to GINA and perform his User AuthC, the workstation will also provide ISE with the Machine-PAC (This is the purpose of EAP-Chaining).  Will ISE check with AD one more time to see if this is part of the domain?

 

(I know that you can set in ISE the maximum number of hours that the cookie will be good for.  But the question is:  if the cookie is still valid, but the machine was removed in AD, will ISE check with AD to see if a machine that was issued a cookie a few hours ago, is still okay to join our network.  I think the answer is no: I think that because on how a MAR cache work if you are using, let's say PEAP with Machine+User Authentication.  Once the Machine is authenticated, that fact is stored into the MAR cache until it expires: upon doing User AuthC, ISE doesn't not also perform another Machine-AuthC... it would defeat the purpose of the MAR cache).

 

Any thought would be appreciated.... If I have time, I will saddle a pod and test this.

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-31-2020 04:09 PM

EAP Chaining does not use the MAR cache. These are mutually exclusive functions, so the terminology should not be used interchangeably.

For your EAP Chaining scenario where the Computer Auth has completed successfully, but Computer account is disabled/deleted prior to the User logging it, I have confirmed that ISE does perform another Authentication check (of both the Computer and User credentials) against AD when the User logs in. For this example, I was using eapFast(eapMschapv2) for the EAP method.

After disabling the Computer account in AD and logging in as a valid User, the EAP Chaining result is "User succeeded and machine failed" and I see the following log in the Step Data:

Machine authentication against Active Directory has failed because the machine's account is disabled

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-31-2020 04:09 PM

EAP Chaining does not use the MAR cache. These are mutually exclusive functions, so the terminology should not be used interchangeably.

For your EAP Chaining scenario where the Computer Auth has completed successfully, but Computer account is disabled/deleted prior to the User logging it, I have confirmed that ISE does perform another Authentication check (of both the Computer and User credentials) against AD when the User logs in. For this example, I was using eapFast(eapMschapv2) for the EAP method.

After disabling the Computer account in AD and logging in as a valid User, the EAP Chaining result is "User succeeded and machine failed" and I see the following log in the Step Data:

Machine authentication against Active Directory has failed because the machine's account is disabled

0 Helpful

Go to solution
cpaquet
Level 1
Level 1
In response to Greg Gibbs

‎04-01-2020 06:44 AM

Greg, thank you for your quick answer.  This is exactly the confirmation I was looking for.  (and I know that MAR and EAP-Chaining are mutually exclusive... EAP-Chaining is an alternative to MAR).

Thanks. again

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents