Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1080
Views
6
Helpful
9
Replies

ISE Closed Mode Machine (Certificate) can work with EAPoL

Go to solution
oumodom
Level 1
Level 1

‎11-11-2024 06:54 PM

Dear Cisco ISE Lover, 

I would like to seek your support for clarify the best practice as we plan testing transitioning from Low-Impact mode to Closed mode.
The challenge as the practice with wire supplicant Windows EAP Chaining (EAP-TLS + MSCHAPv2), and MACbook EAP-PEAP. 

Note: First we plug in then machine authenticate, as EAPoL not clearly mentions support Machine certificate or not? 
If yes, How does EAPoL works with AD to validate the trusted machine then validate the trusted user with MSCHAPv2 ? 

Could someone confirm we can use EAP-FAST, EAP-Chaining with Closed Mode? 
Thank you,  

1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎11-12-2024 01:39 AM

Closed mode is no different from Monitor or Low-Impact mode with the exception for the action that we apply in Close mode which most likely is to deny access to any failed authentication or authorization to the network. However, Closed mode in itself does not really dictate which protocols can be used and which not, it just deals with the actions you apply rather than anything else. Think about it as just a mode with different actions applied to the sessions. Obviously in Closed mode we have to configure the switch ports to be "closed".

I took this snippet of a post I replied to a few days back that might help:

In simple words this what would happen during the EAP-TLS authentication process:
- The endpoint shows itself to the NAD by sending an EAPoL message by its supplicant which is the piece of software responsible to manage this EAP authentication process. This could be Cisco AnyConnect/Secure Client NAM, a third-party software, or event a native supplicant.
- The NAD asks the endpoint to provide its identity.
- The endpoint responds to the NAD.
- The NAD relay the endpoint identity to the RADIUS server via RADIUS.
- Based on the configured policies on the RADIUS server, the server will respond to the NAD with its decision.
- The NAD applies the enforcement action to the endpoint session based on the RADIUS server decision, this could be allow or deny or even more actions such as VLAN change, redirection, dACL etc.

As per my knowledge this is what would happen from EAP and RADIUS perspective:
- The endpoint sends the first EAP message to announce itself in an EAPoL-Start message.
- The NAD sends an EAP-Request/Identity message to the endpoint asking the endpoint to provide its identity.
- The endpoint responds to the NAD with an EAP-Response/Identity message with its identity.
- The NAD converts this message to the RADIUS server in a RADIUS Access-Request packet.
- The RADIUS server responds to the NAD with a RADIUS Access-Challenge packet. This would be step 3 you have on the guide and this starts the secure tunnel negotiation between the RADIUS server and the endpoint, still via the NAD.
- The NAD converts this packet into an EAP-Request/TLS start message and sends to the endpoint with the TLS proposal.
- The endpoint responds to the NAD with an EAP Response/TLS client hello message.
- The NAD converts this message in a RADIUS Access-Request packet and sends it to the RADIUS server.
- The RADIUS server responds to the NAD with another RADIUS Access-Challenge packet with its server hello and other additional attributes such as its key exchange, its certificate and also a request of the endpoint certificate.
- The NAD converts this packet into an EAP-Response/TLS message and sends to the endpoint.
- The endpoint responds to the NAD with an EAP Response/TLS with its certificate, ciphers, and its key exchange.
- The NAD converts this message into another RADIUS Access-Request packet and sends it to the RADIUS server.
- The RADIUS server responds to the NAD with another RADIUS Access-Challenge packet to finish the TLS negotiation.
- The NAD converts this packet into another EAP-Request/TLS with the secure tunnel attributes that have been agreed on between the RADIUS server and the endpoint and will then sends this message to the endpoint.
- The endpoint responds to the NAD with an EAP-Response message.
- The NAD converts this message in a RADIUS Access-Request packet and sends it to the RADIUS server.
- The RADIUS server responds to the NAD with a RADIUS Access-Accept packet.
- The NAD converts this packet into an EAP-Success message. From here on the endpoint session would be authorized.

Solved: Re: ISE Communication Model question - Cisco Community

View solution in original post

9 Replies 9

Go to solution
MHM Cisco World
VIP
VIP

‎11-11-2024 11:14 PM - edited ‎11-12-2024 12:02 AM

Yes it work there is no problem.

Cisco ISE Wired 802.1X with EAP-PEAP Example

MHM

Go to solution
Rob Ingram
VIP
VIP

‎11-11-2024 11:56 PM

@oumodom yes in closed mode EAPOL is sent for machine certificate authentication.

RobIngram_0-1731397924601.png

Do you use Credential Guard? That causes a problem when using MSCHAPV2, you may wish to implement user certificates (in addition to the machine certificates) instead.

Perhap use TEAP instead of EAP-FAST, TEAP will still give you EAP Chaining, but there is less admin overhead as you do not need to deploy and support Secure Client/AnyConnect NAM.

Go to solution
oumodom
Level 1
Level 1
In response to Rob Ingram

‎11-20-2024 12:15 AM

Hi @Rob Ingram 
We don't use Credential Guard, As Windows Platform with EAP-FAST  and EAP chaining(Machine Certificate + User Authenticate). The Supplicant already have installed the Secure Client.

What I can't confirm is, How EAPoL authenticated works as firstly is machine authenticated (Machine Cert to ISE via EAPoL)? 

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to oumodom

‎11-20-2024 12:17 AM - edited ‎11-20-2024 08:41 AM

EAP is allow to pass' and cert is encapsulate inside eap.

PASS THROUGH CLOSED PORT (port run 802.1x with close mode)

MHM

Go to solution
oumodom
Level 1
Level 1
In response to MHM Cisco World

‎11-20-2024 08:37 AM

EAP is allow to pass' what ? 
Pass authentication or password? 

Please elaborate more on how EAPoL work with closed mode for authentication. 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to oumodom

‎11-22-2024 03:01 AM - edited ‎11-22-2024 03:05 AM

EAPoL is the protocol that will be used for any data exchange between the clients and the network devices, this is L2 traffic where all EAP messages/packets are exchanged. On the other side RADIUS will be the protocol that will be used between the network devices and the RADIUS server. Within RADIUS all EAP traffic will be encapsulated into RADIUS before it sent from the network device to the RADIUS server. But again, this flow won't change if the mode is monitor, low-impact, or closed. However, what changes are the actions returned from the RADIUS server to the network devices, in closed mode, they most likely would be denying the failed authentication and authorization to the network.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎11-12-2024 01:39 AM

Closed mode is no different from Monitor or Low-Impact mode with the exception for the action that we apply in Close mode which most likely is to deny access to any failed authentication or authorization to the network. However, Closed mode in itself does not really dictate which protocols can be used and which not, it just deals with the actions you apply rather than anything else. Think about it as just a mode with different actions applied to the sessions. Obviously in Closed mode we have to configure the switch ports to be "closed".

I took this snippet of a post I replied to a few days back that might help:

In simple words this what would happen during the EAP-TLS authentication process:
- The endpoint shows itself to the NAD by sending an EAPoL message by its supplicant which is the piece of software responsible to manage this EAP authentication process. This could be Cisco AnyConnect/Secure Client NAM, a third-party software, or event a native supplicant.
- The NAD asks the endpoint to provide its identity.
- The endpoint responds to the NAD.
- The NAD relay the endpoint identity to the RADIUS server via RADIUS.
- Based on the configured policies on the RADIUS server, the server will respond to the NAD with its decision.
- The NAD applies the enforcement action to the endpoint session based on the RADIUS server decision, this could be allow or deny or even more actions such as VLAN change, redirection, dACL etc.

As per my knowledge this is what would happen from EAP and RADIUS perspective:
- The endpoint sends the first EAP message to announce itself in an EAPoL-Start message.
- The NAD sends an EAP-Request/Identity message to the endpoint asking the endpoint to provide its identity.
- The endpoint responds to the NAD with an EAP-Response/Identity message with its identity.
- The NAD converts this message to the RADIUS server in a RADIUS Access-Request packet.
- The RADIUS server responds to the NAD with a RADIUS Access-Challenge packet. This would be step 3 you have on the guide and this starts the secure tunnel negotiation between the RADIUS server and the endpoint, still via the NAD.
- The NAD converts this packet into an EAP-Request/TLS start message and sends to the endpoint with the TLS proposal.
- The endpoint responds to the NAD with an EAP Response/TLS client hello message.
- The NAD converts this message in a RADIUS Access-Request packet and sends it to the RADIUS server.
- The RADIUS server responds to the NAD with another RADIUS Access-Challenge packet with its server hello and other additional attributes such as its key exchange, its certificate and also a request of the endpoint certificate.
- The NAD converts this packet into an EAP-Response/TLS message and sends to the endpoint.
- The endpoint responds to the NAD with an EAP Response/TLS with its certificate, ciphers, and its key exchange.
- The NAD converts this message into another RADIUS Access-Request packet and sends it to the RADIUS server.
- The RADIUS server responds to the NAD with another RADIUS Access-Challenge packet to finish the TLS negotiation.
- The NAD converts this packet into another EAP-Request/TLS with the secure tunnel attributes that have been agreed on between the RADIUS server and the endpoint and will then sends this message to the endpoint.
- The endpoint responds to the NAD with an EAP-Response message.
- The NAD converts this message in a RADIUS Access-Request packet and sends it to the RADIUS server.
- The RADIUS server responds to the NAD with a RADIUS Access-Accept packet.
- The NAD converts this packet into an EAP-Success message. From here on the endpoint session would be authorized.

Solved: Re: ISE Communication Model question - Cisco Community

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-12-2024 11:59 AM

You may use anything you want in Closed Mode as long as you use something.

Closed Mode means every endpoint/user MUST authenticate or it will be Failed/Rejected.

Which credentials and protocols are required are determined by you and your ISE policy configuration.

0 Helpful

Go to solution
oumodom
Level 1
Level 1
In response to thomas

‎11-20-2024 08:34 AM

We are using, While EAP-FAST with Chaining (EAP-TLS and MSCHAPv2) for windows machine, and PEAP for MacBook.  

0 Helpful
Customers Also Viewed These Support Documents