cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3176
Views
15
Helpful
8
Replies
Highlighted
Participant

ISE 2.1 - MAR aging time - EAP-TLS

We are currently doing PEAP dot1x with machine and user authentication against AD but we are running into issues when the MAR aging time expires because users get bounced from the network and are forced to log off then on again (apparently they don't like doing that regularly).

 

So my question is, if we were to employ EAP-TLS with  machine and user certificates instead, does the MAR cache still play a role?  Will we still have these aging issues?  Having trouble understanding this.

 

Thanks in advance.

 

John

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hi John!

 

Yes, even with EAP-TLS you would have to deal with the MAR cache timeout since you still would be be bound to use the condition "WasMachineAuthenticated"in your authorization policies, which is based on data in the MAR cache. Also keep in mind data in the MAR cache is NOT synced between ISE PSN nodes in version earlier than ISE 2.3 so if one of your PSN nodes go down everyone would need to log out of Windows and back in again to get proper network access next time they try to connect to the network.

 

You could increase the MAR cache timeout to last at least a few days to encounter less cases where the users have to log out then log back in to get proper network access. We've had users who pretty much never logged off Windows, they only locked the PC for the day when they go home which mean no "renewed" machine authentication.

 

In my opinion the best way of doing both user and machine authentication is to deploy Anyconnect Network Access Module and use EAP-FAST with EAP-chaining. This is how we dealt with the MAR cache problem. This type of EAP does machine authentication when the computer is booted (or if the user logs out off) and when the user logs in it triggers BOTH user authentication and machine authentication. In this scenario you would never have to rely on the MAR cache. 

 

 

View solution in original post

8 REPLIES 8
Highlighted

Hi John!

 

Yes, even with EAP-TLS you would have to deal with the MAR cache timeout since you still would be be bound to use the condition "WasMachineAuthenticated"in your authorization policies, which is based on data in the MAR cache. Also keep in mind data in the MAR cache is NOT synced between ISE PSN nodes in version earlier than ISE 2.3 so if one of your PSN nodes go down everyone would need to log out of Windows and back in again to get proper network access next time they try to connect to the network.

 

You could increase the MAR cache timeout to last at least a few days to encounter less cases where the users have to log out then log back in to get proper network access. We've had users who pretty much never logged off Windows, they only locked the PC for the day when they go home which mean no "renewed" machine authentication.

 

In my opinion the best way of doing both user and machine authentication is to deploy Anyconnect Network Access Module and use EAP-FAST with EAP-chaining. This is how we dealt with the MAR cache problem. This type of EAP does machine authentication when the computer is booted (or if the user logs out off) and when the user logs in it triggers BOTH user authentication and machine authentication. In this scenario you would never have to rely on the MAR cache. 

 

 

View solution in original post

Highlighted

Hi Jacob,

 

Thanks so much for taking the time to respond and for clarifying this for me.... really appreciate it.  This is indeed what I suspected.

 

A month ago or so I played with a demo of AnyConnect and NAM and was able to get EAP chaining to work on our network. So now we will need to look at purchasing this and deploying it.

 

Question is, with AnyConnect, does the user/machine authentication also happen when unlocking a workstation?  Otherwise, whats the benefit of EAP chaining if the user refuses to logout regularly?

 

Thanks again.

 

John

Highlighted

Hi John!

 

Great question, I will attempt to answer it:

 

If the computer is locked either by inactivity or manually by the user it will still remain connected to the network "as the user". It is important to know that the Windows logon screen and Windows lock screen look very similar but they are not the same when it comes to network access! The lock screen does not trigger machine authentication and it will not disconnect your user from the network. 

 

If the computer is locked while not connected to the wireless nor wired corporate network (like if you brought it home) and it is then brought back to the corporate network, I believe it's not unlocking the computer itself by logging in that does trigger the authentication, it's more the case of AnyConnect going "I am not connected to the corporate network, I should try to connect with what I have" as the computer sits on the lock screen and it sees the SSID available or if you plug in the network cable. If you are using double certificates to authenticate then AnyConnect will have access to those and use them. If you are using AD credentials instead with Single Sign-On (allowing Anyconnect to use them for network access) it will also connect. I have never heard of any weird hickups regarding this, it just works. I have tried most scenarios regarding this and I have yet to run into something that leaves my users without proper network access.

 

In my most recent deployment we use EAP-FASTv2 with EAP-chaining where the machine is authenticated using a certificate and the user is authenticated using the AD credentials. The AnyConnect NAM profile is configured to use the Windows logon credentials for user authentication to provide a Single Sign-On experience. In the Windows native supplicant you have to pick either to user certificate or credentials, but with AnyConnect NAM you can mix them however you want (which is great!)

 

There are actually some advantages to not running double certificate authentication in some use-cases, at least in Windows 10 Enterprise. 

 

Highlighted

Hi Jacob

 

great posts and I like your way of explaining things!

Have you had any experience in a mixed (heterogeneous) network consisting of Windows 8/10, MACOS, Android, iOS ?  I am working on a redesign project where we want to steer away from using EAP-PEAP on those devices and to use EAP-TLS instead.  But they theory has to work across all the possible wireless devices and OS's commonly seen in the environment.  I know that in iOS there is no concept of a user login, so a machine cert would suffice.  But what about MACOS, is there a concept of a "network login to AD" ? 

 

this is something I should probably test in the lab.  The idea of deploying AnyConnect doesn't inspire me ... for $$$ reasons and adding more "bloat" to the workstation ;-) ...  (unless it's the only way to solve the problem).  I would like to see how to design this with the native OS capabilities.

 

cheers

Highlighted

Hi Arne!

 

Yes, I have some customers where ISE is used for pretty much every kind of device. I think a lot of it comes down to whether or not you have an MDM tool to manage your iOS/MacOS/Android devices.

 

If you don't have an MDM tool you could use the internal certificate authority on ISE (ISE BYOD) to generate certificates for those kind of devices which will grant them network access using EAP-TLS, but this feature is pretty complex and is very dependent on the device itself. We've had several issues where there have been problems with the BYOD process due to Apple or Google changing things up in the OS. In my opinion ISE BYOD get's harder to implement every time there is an update to iOS and Android. ISE BYOD requires Plus licensing though.

 

PEAP-MSCHAPv2 is the "poor man's BYOD" but I think it's really good if you're just looking to provide internet access. To grant any other kind of access ("better" access) to an iOS/MacOS/Android device I would recommend using an MDM tool to keep them under control and use the MDM to issue certificates to be used for network access. MDM integration with ISE requires Apex licensing.

 

I know iOS and Android both support EAP-FAST but I have never tested it. Not sure it can do EAP-chaining...

 

I hadn't used AnyConnect NAM before until last year and I think it's a pretty good product, it is very flexible and you get away from a lot of the bad network drivers/bugs in Windows native supplicant. Windows Updates and it's KB patches have caused some odd problems throughout the years :(

Highlighted

Thanks again for your answers Jacob.  The more I play with this AnyConnect, the more I like it.  However, I am running into one road block that will prevent us from deploying this.

For some reason (I'm still troubleshooting) users randomly are not getting their Home drives mapped at login, and yet the drives mapped from the login script do get mapped, most of the time.  Have you run into this with wireless AnyConnect clients?

I can tell you that the home drive is set up in the AD account profile for the user and the path is to a DFS namespace.

I have also enable user environment debug logging in Windows 7 to try and gather more info about what might be happening, but I'm not an AD expert.  I have looked at Wireshark captures to try and compare successsful vs failed mappings, but just cannot put my finger on it.

If I remove the AnyConnect client and use the native Windows supplicant on the same wifi network (PEAP this time), this problem does NOT occur.

If you have any thoughts, I'd love to hear them. :)

Oh and I'm glad to see my post has generated some good conversation here. 

 

Thanks.

John

Highlighted

Hi John!

 

Unfortunately I haven't had that problem, most of my time working with AnyConnect NAM is on the Windows 10 OS mainly because in Windows 10 Enterprise there is a feature called Credential Guard which disables Single Sign-On in the Windows native supplicant due to security reason (Microsoft doesn't like any process/software accessing machine and/or user credentials on the device). Most AD administrators refuse to disable Credential Guard. 

 

However, with AnyConnect NAM you can still do Single Sign-On. Microsoft has stated that only "sophisticated software" may access those kind of credentials and AnyConnect is one of those programs. This has become one of the main point why I like AnyConnect for network access.

 

I haven't run into any issues with Home drives on Windows 10... could be a Windows 7 problem :(

Highlighted

Eap chaining is great and works like a charm, but it's not for free and needs to be deployed.

Not sure about the real meaning of the function and possible side effects, but I've seen that enabling the SSO option on the windows supplicant it forces machine authentication to happen also at login and not only at bootup.

Anyone tried this before?

Content for Community-Ad