Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
243
Views
1
Helpful
2
Replies

ISE 3.3 Machine Auth + User authentication

mikiNet
Level 1
Level 1

‎06-28-2024 01:55 AM

Hello,

I found a few discussions about the subject but any of it can't answer on my thinking.

My idea (for wireless connections and after successfully implement then configure wired connection) is to use machine authentication before user logins user authentication after log in. So when computer boots up and before user log in, computer should automatically authenticate with my Cisco ISE(using certificate or username of this computer) and receive for example vlan which has only access to AD for subsequent user authenticate.

When user type his username and password then we have separte authentication process with Cisco ISE where ISE sends back appropriate vlan with more access (for example another vlan)

I know that EAP-Channing and TEAP is not a good option because this to method doing machine and user auth in the same step.

I want authenticate in two steps, first machine, then user.

How can I achive this goal ? Any configuration guide ? 

0 Helpful
2 Replies 2

thomas
Cisco Employee
Cisco Employee

‎06-28-2024 06:20 AM

You may still authenticate machine-only then when the user logs in do machine+user with TEAP.

Example ISE Authorization Rules for TEAP are in ISE Authentication and Authorization Policy Reference > TEAP-Chaining with Tunneled EAP (TEAP).

 

https://cs.co/ise-berg#teap

https://cs.co/ise-berg#windows > Configure EAP profiles in Windows

Please see the ISE BERG for all future ISE configuration needs.

mikiNet
Level 1
Level 1
In response to thomas

‎07-01-2024 08:38 AM - edited ‎07-01-2024 10:31 AM

Dear Thomas,

First of all, thank you for your reply!

Regarding to your answer I have a couple of additional questions:

1. You said "You may still authenticate machine-only then when the user logs in do machine+user with TEAP" -

Is it possible to do machine-only auth using certificate and then when user log in do machine+user with TEAP using MS-CHAPv2? 

I run little lab simulation a probably to do machine auth using MS-CHAPv2 I need Active Directory because Local ISE Database is not sufficient to do it. Is it correct ?

Question about configuration of Windows native supplicant: In configuration for user I can choose which method I want to use during EAP exchange. But what about machine ? Machine is always using method which we set for user auth ?

Can we mixed auth method for machine and user ? All configuration guide regarding to TEAP configuration using one method - certificate.

Can you share configuration windows supplicant to achive this goal (to mix certificate and ms-chapv2 method) ? 

Is this configuration is in native supplicant primary and secondary authentication field ?

Is it possible to authenticate machine using MS-CHAPv2 with ISE local database ? Where in Windows I can change username and password for machine auth ? Because on the next step I need to create Identity in ISE local database the same as I configured in Windows

Last question:

As I right understand TEAP is improved method to MAR. I now that MAR has couple of issue like problems when user hibernate his laptop, is this problem also occurs in TEAP method ? 

0 Helpful
Customers Also Viewed These Support Documents