Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1646
Views
0
Helpful
4
Replies

ISE Domain Computer Authentication

de1denta
Level 3
Level 3

‎11-07-2015 05:54 AM - edited ‎03-10-2019 11:13 PM

Hi All,

I'm trying to configure ISE to to differentiate between corporate and employee devices that connect to the wireless network using PEAP/MSCHAP authentication. I'm currently looking at only permitting users onto the corporate network who have passed machine and user authentication using machine access restriction but I have come to understand the limitations of MAR and the Windows Supplicant.

Unfortunatey we cannot use any NAC clients at this time and we dont not have a PKI infrastructure so EAP Chaining is not an option at the moment.

One option that I'm looking at is using computer only authentication with PEAP/MSCHAP. We will configure Windows group policy to push out a policy to corporate laptops to use computer only authentication pre and post login with no user level authentication.

Are there any issues with using computer only authentication using PEAP/MSCHAP?

Thanks

 

Labels:
0 Helpful
4 Replies 4

jj27
Spotlight

‎11-09-2015 01:29 PM

You have highlighted a majority of the methods for identifying domain computers. There are no issues with using computer only authentication other than all of your authenticated clients will show up as host/computer.domain.local so you will use the ability to be able to identify which user is on which computer, if that is a requirement.

0 Helpful

de1denta
Level 3
Level 3
In response to jj27

‎11-09-2015 04:25 PM

Hi,

Thank you for the response.

Are there any issues with PEAP/MSCHAP computer only authentication from a security perspective as well? I have had a few people request that we maintain 2-factor authentication of computer and user as its more secure so I'm being challenged with the computer only approach.

Thanks

0 Helpful

de1denta
Level 3
Level 3
In response to de1denta

‎11-11-2015 09:05 AM

Hi,

Can anyone answer this? Much appreciated.

Thanks

0 Helpful

Tim Steele
Level 1
Level 1
In response to de1denta

‎11-11-2015 10:44 AM

That largely depends on the organization's security policy.  As was mentioned, if you use machine authentication only, you will be missing the piece to the puzzle that tells you the user information.  In some organizations, the user info is required so machine auth only is simply not an option.  When it comes to an organization that doesn't have a security policy or one that is not complete enough to cover this topic, they just have to decide if they want to have the user info in their logs.  Using PEAP for machine authentication is somewhat common.  I would imagine financial institutions, government organizations, etc. will require user authentication as well. 

Using machine authentication for differentiation of corp vs personal devices is clearly valid.  Requiring a user auth to have a cached, matching machine auth (MAR) does introduce caveats that you have to be aware of, no doubt.  But, there are still a number of customers that implement it.

Also, you mentioned that EAP Chaining is not an option since there is no PKI.  But, you don't have to use certs for EAP Chaining.  Many customers that are concerned enough to implement EAP Chaining also have a PKI available, but not all.

Tim

0 Helpful
Customers Also Viewed These Support Documents
Top