Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1692
Views
10
Helpful
5
Replies

Find a condition to authenticate to the correct domain with TEAP

Go to solution
REJR77
Level 1
Level 1

‎11-25-2021 06:05 AM - edited ‎11-25-2021 06:19 AM

Hi,

I have several AD domains on my ISE deployment
Depending on the AD domain, the Authentication Policy to access the network may change

- For some domains, we use EAP TLS only (machine Authentication only)
- And for 1 domain we use TEAP (machine certificate + username/pwd for user)

In the Authentication Policy, I can make a condition to match the Certificate Issuer and then check in the right Certificate Profile for Authentication

Is it possible for TEAP authentication to find a condition that would authenicate to the specified Joint Point and not asking to all the joint points? (we can not use network device as a differenciator)

 

Actually my concern is to send the Authentication to the correct Authentication server, without the need to go through each Join Point.

Thanks for any idea

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎11-25-2021 11:52 AM

Hello @REJR77 

 

I do this all the time. In the Authentication section select the Certificate Authentication Profile depending on the EAP Method/Tunnel. 

The Name of the AD Join Point is set in the Certificate Authentication Profile.

 

 

Example below

 

ISE JP.png

 

View solution in original post

5 Replies 5

Go to solution
Arne Bier
VIP
VIP

‎11-25-2021 11:52 AM

Hello @REJR77 

 

I do this all the time. In the Authentication section select the Certificate Authentication Profile depending on the EAP Method/Tunnel. 

The Name of the AD Join Point is set in the Certificate Authentication Profile.

 

 

Example below

 

ISE JP.png

 

Go to solution
REJR77
Level 1
Level 1
In response to Arne Bier

‎11-25-2021 11:30 PM - edited ‎11-25-2021 11:41 PM

Hello @Arne Bier ,

Thank you for the message. This is what I need.

In our case we have Machine Certifcate Authentication AND Username/Password for user (I think I have to use a sequence for that purpose)

 

If you have 2 different AD domains that run TEAP, can you specify 2 different Cert_Profiles so that it can speed up searches in directories?

Something like:

If Network Access-EAPAuthentication EQUALS TEAP AND DomainA then SEQUENCE_A

If Network Access-EAPAuthentication EQUALS TEAP AND DomainB then SEQUENCE_B

 

I am not sure the Domain can be a condition at that moment of authentication

 

Thanks

Thanks

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to REJR77

‎11-29-2021 03:08 AM

Hello @REJR77 

 

You could put the AD domain into the Certificate Authentication Profile as shown below. Would that work for you?

 

EXTA.png

0 Helpful

Go to solution
REJR77
Level 1
Level 1
In response to Arne Bier

‎11-29-2021 04:22 AM

Hi @Arne Bier 

I've made these 2 rules.

The first one, should match User Authentication sent with MSCHAPv2 in the TEAP  Tunnel

The second one, should match the machine certificate sent in EAP-TLS on the TEAP Tunnel

 

Image 1.png

I hope when adding another domain I will be able to duplicate these rules, and therefore asking only the corresponding Active Directory server. (From what I've seen, the order seems to be important (User then Machine)

 

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to REJR77

‎12-08-2021 06:21 PM

@REJR77  - how did your changes go? Did your config work?

0 Helpful
Customers Also Viewed These Support Documents