Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
997
Views
0
Helpful
3
Replies

EAP-FASTV2 with certificates, conundrum

Go to solution
battyjohn
Level 1
Level 1

‎01-22-2019 10:34 AM - edited ‎03-11-2019 01:54 AM

To implement EAP-FASTV2 with machine and user auth, our customer has requested we use certificates, separate local machine and individual user. 

 

How best to distribute the individual user certificate? The network is 802.1x enabled, so I can pull an eap-chaining condition to push a dacl for machine success and user auth fail to restrict access for a gpo update, but it's a bit clunky.

 

Any suggestions for a better way to do this?

 

BTW not using certs is not an answer as they are used for always on vpn with anyconnect multi-cert auth. 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-22-2019 11:24 AM

In my opinion, leveraging Microsoft's certificate services in conjunction with group policy auto enrollment is easiest. But the caveat here is that it only works for Microsoft machines. In most environments this is fine, but the larger the business the more frequently I see fringe cases like the proliferation of thousands of Macbooks or Linux desktops. In those environments there is usually some MDM solution managing them which can issue certificates from the same MS CA.

It sounds like they already have some certificates deployed though, you mention that they are using them for always on vpn. How were these certificates issued?

View solution in original post

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to battyjohn

‎01-29-2019 05:34 AM

As Damien mentioned you can use the Microsoft certificate services to take care of management for user certificates for those users using Windows workstations.  I strongly suggest reading this:

 

https://blogs.technet.microsoft.com/meamcs/2010/12/01/auto-enrollment-avoid-the-challenges-of-making-end-users-manage-their-certificates/

 

Keep in mind that if you are attempting to use EAP-FASTv2 most vendors do not support this protocol.  There is an industry standard protocol that is referred to as EAP-TEAP.  However, I am not sure if the Windows native supplicant supports EAP-TEAP.  Also, as a heads up if you are planning on moving forward with Cisco's EAP-FAST proprietary protocol you will need to implement AnyConnect with the NAM module in order to support it.  

 

Depending on your environment it will be less seamless to implement user certificates for those using linux/macs or something other than Windows.  This should help to:

 

https://community.cisco.com/t5/security-documents/how-to-deploy-eap-chaining-with-anyconnect-nam-and-ise/ta-p/3630969

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-22-2019 11:24 AM

In my opinion, leveraging Microsoft's certificate services in conjunction with group policy auto enrollment is easiest. But the caveat here is that it only works for Microsoft machines. In most environments this is fine, but the larger the business the more frequently I see fringe cases like the proliferation of thousands of Macbooks or Linux desktops. In those environments there is usually some MDM solution managing them which can issue certificates from the same MS CA.

It sounds like they already have some certificates deployed though, you mention that they are using them for always on vpn. How were these certificates issued?
0 Helpful

Go to solution
battyjohn
Level 1
Level 1
In response to Damien Miller

‎01-23-2019 02:53 PM

Hi, machine certificates get issue with the build, it's user certificates once the pc is ready for deployment that is required, but te environment is fully dot1x so the new policy needs to accommodate user certs distribution. Nam doesn't seem to have an easy way to choose option a then option b and then only option b in future. 

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to battyjohn

‎01-29-2019 05:34 AM

As Damien mentioned you can use the Microsoft certificate services to take care of management for user certificates for those users using Windows workstations.  I strongly suggest reading this:

 

https://blogs.technet.microsoft.com/meamcs/2010/12/01/auto-enrollment-avoid-the-challenges-of-making-end-users-manage-their-certificates/

 

Keep in mind that if you are attempting to use EAP-FASTv2 most vendors do not support this protocol.  There is an industry standard protocol that is referred to as EAP-TEAP.  However, I am not sure if the Windows native supplicant supports EAP-TEAP.  Also, as a heads up if you are planning on moving forward with Cisco's EAP-FAST proprietary protocol you will need to implement AnyConnect with the NAM module in order to support it.  

 

Depending on your environment it will be less seamless to implement user certificates for those using linux/macs or something other than Windows.  This should help to:

 

https://community.cisco.com/t5/security-documents/how-to-deploy-eap-chaining-with-anyconnect-nam-and-ise/ta-p/3630969

 

0 Helpful
Customers Also Viewed These Support Documents