Solved: Re: EAP-FAST/EAP Chaining Posture Assessments for Corporate-Managed Devices

UncleJP · ‎05-13-2020

I was reading about EAP, and I came across this:

"EAP Chaining
EAP-FAST includes the option of EAP chaining, which supports machine and
user authentication inside a single outer TLS tunnel. It enables machine and user
authentication to be combined into a single overall authentication result. This
allows the assignment of greater privileges or posture assessments to users who
connect to the network using corporate-managed devices."

I do not understand how the bolded section is related to EAP chaining. Would someone please elaborate on this?

Any input is appreciated.

Colby LeMaire · ‎05-13-2020

It is just saying that with EAP-Chaining, you can apply policies based on both the machine and user at the same time. Without EAP-Chaining, you have to decide whether to authenticate the machine, the user, or both. But both cannot be authenticated at the same time so when you authenticate a user, you cannot be 100% sure that the user is using a corporate device. There are attempts at offering that without EAP-Chaining like MAR or doing posture assessment to look for a file or registry key. But you cannot be 100% sure and there are flaws with those methods. With EAP-Chaining, you can ensure that both the machine and user present credentials at the same time. And since you can see the user, you can apply a policy that is either stricter or looser based on the user identity. Instead of just applying a common policy across all devices like with machine-only authentication.

View solution in original post

Mike.Cifelli · ‎05-14-2020

I agree with @Colby LeMaire . Adding some additional thoughts:

Using eap-fast to accomplish eap-chaining definitely has its benefits. As mentioned it provides more granularity in regard to pushing network policy based on both user/endpoint auth. From a monitoring perspective you are able to track not only where the endpoint is connected, but now also the user. If running environments where mobility is a desire, no single user has to be tied to a single host. You can push policy based on the specific user so that the user is in the right network no matter where they are, no matter what host they are connected to (obviously still authenticating the endpoint as well). Essentially in that example you steer policy based on user groups perhaps in AD and/or certain user CAC auth. The mobility aspect is pretty nice in networks running SDA with Anycast gateways.

Now, things to keep in mind:

Utilizing eap-chaining is more typically more complex. Meaning I have only seen a few environments running NAM to accomplish eap-chaining. The easier approach is using the native supplicant with eap-tls since support and rollout is simpler. However, as Colby mentioned you cannot accomplish both at the same time. With NAM you now have to worry about software upgrades, possible profile updates, and user education.

Lastly, at the end of the day it comes down to what the environment requirements are and what the requirements wish to accomplish. I personally like NAM for several reasons mentioned. AFAIK Microsoft is working towards releasing some functionality/support of eap-teap (industry standard similiar to eap-fast). However, not exactly sure on when or how it will operate once available. Anyways, good luck & HTH!

View solution in original post

Colby LeMaire · ‎05-13-2020

It is just saying that with EAP-Chaining, you can apply policies based on both the machine and user at the same time. Without EAP-Chaining, you have to decide whether to authenticate the machine, the user, or both. But both cannot be authenticated at the same time so when you authenticate a user, you cannot be 100% sure that the user is using a corporate device. There are attempts at offering that without EAP-Chaining like MAR or doing posture assessment to look for a file or registry key. But you cannot be 100% sure and there are flaws with those methods. With EAP-Chaining, you can ensure that both the machine and user present credentials at the same time. And since you can see the user, you can apply a policy that is either stricter or looser based on the user identity. Instead of just applying a common policy across all devices like with machine-only authentication.

Mike.Cifelli · ‎05-14-2020

I agree with @Colby LeMaire . Adding some additional thoughts:

Using eap-fast to accomplish eap-chaining definitely has its benefits. As mentioned it provides more granularity in regard to pushing network policy based on both user/endpoint auth. From a monitoring perspective you are able to track not only where the endpoint is connected, but now also the user. If running environments where mobility is a desire, no single user has to be tied to a single host. You can push policy based on the specific user so that the user is in the right network no matter where they are, no matter what host they are connected to (obviously still authenticating the endpoint as well). Essentially in that example you steer policy based on user groups perhaps in AD and/or certain user CAC auth. The mobility aspect is pretty nice in networks running SDA with Anycast gateways.

Now, things to keep in mind:

Utilizing eap-chaining is more typically more complex. Meaning I have only seen a few environments running NAM to accomplish eap-chaining. The easier approach is using the native supplicant with eap-tls since support and rollout is simpler. However, as Colby mentioned you cannot accomplish both at the same time. With NAM you now have to worry about software upgrades, possible profile updates, and user education.

Lastly, at the end of the day it comes down to what the environment requirements are and what the requirements wish to accomplish. I personally like NAM for several reasons mentioned. AFAIK Microsoft is working towards releasing some functionality/support of eap-teap (industry standard similiar to eap-fast). However, not exactly sure on when or how it will operate once available. Anyways, good luck & HTH!