Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1098
Views
0
Helpful
1
Replies

How to deploy role based access using machine cert + AD for users?

luckymike33
Level 1
Level 1

‎11-20-2020 12:38 PM

Hi,

 

Right, but here goes:

 

 My scenario is that the firm I am working with have already bought machine certs, but at the same time ideally want to deploy differentiated dot1x access based on user attributes. They do not seem willing to buy user certs, in any way shape or form.

 

Is there any way round this? My thinking is that it is true, we could get the machine to intially perform AAA, and be authorized with a machine access only DaCL, but the problem would then be that there would then be no user cert available on the device and so, there would be no way for a user to pass AAA and for the final authorization to be based on.

 

I am assuming that there is no way to configure the machine to use a method of EAP-TLS, and the user to use say PEAP (MS-CHAPv2)?

 

I wonder if the only alternative is to ensure that each machine always has the same user and somehow group machines together by role, and have ISE pull down some kind of AD attribite when the 'machine' logs in, whch would allow ISE to apply the associated profile. It just the security seems nowhere near as good. As anyone who logs into that machine will be given the machine's access.

 

Has anyone come across a scenario like this before, or has any idea how to tackle this?

 

Best wishes

 

Mike

 

 

0 Helpful
1 Reply 1

Greg Gibbs
Cisco Employee
Cisco Employee

‎11-22-2020 02:44 PM

First off, the comment about 'buying' computer/user certificates leads me to believe the firm is using public CA-signed certificates. Most organisations use an internal PKI/CA (like Active Directory Certificate Services) for enrolling and signing EAP certificates for corporate computers and users. Using public CA-signed certificates in this manner is not common practice nor is it recommended.

Historically, the Windows native supplicant did not provide for using different EAP methods for computer vs. user authentication. As of Windows 10 version 2004, however, the supplicant now supports using TEAP. With TEAP, you can specify different EAP methods for computer vs. user as well as use EAP Chaining to combine the two credentials.

Have a look at the following community post for similar discussions around TEAP and EAP Chaining.

https://community.cisco.com/t5/network-access-control/ise-deployment-eap-tls-machine-or-user-certificates-native/td-p/4094444 

0 Helpful
Customers Also Viewed These Support Documents