09-17-2017 11:10 PM
Hello,
i spent couple of days researching is it possible enterprise wireless security design with OTP. The idea is to authenticate first the machine and then the user with OTP. If both successful - access to be granted. As far as my research went - i must rely on EAP-FAST and EAP Chaining (EAP-TLS and EAP-GTC as inner methods). But from here the unknown part follows - is it possible, does someone has such implementation and what is the user experience. Because if every time when the user roam to different AP (of course in the same mobility group) the OTP is required - it will be terrible experience.
Thanks!
Solved! Go to Solution.
09-24-2017 08:38 AM
Hi Alex,
I have replied to the forum topic
802.11 WLAN Roaming and Fast Secure Roa... - Cisco Support Community
Still, I believe this is best to discuss in a wireless forum, than in a ISE forum
Regards
Nikhil
09-18-2017 09:59 AM
You could accomplish this with CWA Chaining (802.1X auth followed by CWA auth). CWA supports RSA and RADIUS Token as well as SAML auth options. You could optionally combine the CWA portion with device registration to eliminate continuous CWA reauth, then periodically purge device from registration to force new 1X + OTP auth.
Craig
09-18-2017 01:00 PM
Thanks Craig,
but i don't find the CWA appropriate...actually currently we are on such solution, but with CWA on WLC. The roaming is terrible.
And if i use MAC authentication - it is very weak (if used without profiling).
09-18-2017 01:27 PM
Alexander,
You state that forcing reauth on each roam is considered too secure, but easing restriction based on MAC (post auth) is considered too insecure. You are coming to the obvious conclusion that policy is often a balance between security controls and user experience/productivity!
If EAP Chaining is serving your purpose, then consider appropriate key caching mechanisms based on clients and test. For example, dot1x + adaptive 11r may be suitable, but best to confer with wireless team.
Also, ISE 2.2+ supports RADIUS Token caching which could help reduce the need to reauth OTP on each reauth. This may be your perfect balance between security and convenience, in addition to reduced reauth for viable key caching methods.
Craig
09-19-2017 01:23 PM
Craig,
you are absolutely right, this is known "issue" - as something becomes more secure is more hard for use. But this is life
Today i tested one part of the whole solution - authentication against the RADIUS Token Server (HID). EAP-FAST+EAP*GTC as inner method and everything works like a charm. No special protocols for fast roaming of the wireless (i know they are specific and most commonly not recommended if we want high compatibility). And even with roaming between APs - no requirement for token code input. BUT there is some session cache on the ISE, which i don't understand...because on each roaming between APs there was no request to the RADIUS token server, nor the client was asked for OTP code. And the RADIUS Token caching feature was not enabled in the RADIUS Token server configuration.
Can someone explain me what is this cache and how can it be controlled?
I didn't finished the EAP-Chaining test, because for some reason the Machine authentication via certificates was not successful. Always fails. If someone can share experience with this i'll be very thankful.
09-19-2017 01:35 PM
L2 roaming on secure network typically does not change session ID so would not expect disruption.
09-19-2017 10:59 PM
Yes, but this session info where is cached and what control of the cache we have (cache time, erasing entry in the cache)?
09-20-2017 01:53 AM
If the client is doing proper roaming in the wireless network, the wireless controller will not do a re-auth of the user. The authentication info of the client is retained in the wireless controller & the controller will not pass any authentication request to ISE. When I say proper roaming, I would mean the client will be moving from AP to another, without being in some areas no coverage.
By default this is an in-built feature in WPA2+AES and you don't need fast roaming protocols.How long the controller retains the information of client depends on many parameter like session time-out, idle-timeout, bcast key refresh & I would say that will be pure wireless question
Regards
09-24-2017 05:12 AM
Nikhil,
i read many thins these days related to the topic, but i cannot agree with your post.
With reference to this community document:
802.11 WLAN Roaming and Fast Secure Roa... - Cisco Support Community
In summary - it seems that full Authentication is done during normal, supported roaming. If we use fast roaming technologies on the WLC - we can speed up the things. Also if the authentication server has some caching functions - we can save some time. Otherwise - full authentication is done.
09-24-2017 08:38 AM
Hi Alex,
I have replied to the forum topic
802.11 WLAN Roaming and Fast Secure Roa... - Cisco Support Community
Still, I believe this is best to discuss in a wireless forum, than in a ISE forum
Regards
Nikhil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide