Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
687
Views
5
Helpful
1
Replies

ISE dot1x deployment using MAR

Go to solution
gpinero
Level 1
Level 1

‎06-15-2019 12:16 PM

Hi, i'm working in deployment of dot1x in my network and I need some recomendations and best practices.

Main IDEA, in authentication:


1 - Fisrt method dot1x:
- Machine authentication with AD, native suplicant (using MAR)
- User authentication with AD (PEAP). Vlan assignment based on user group

2 - MAB for devices that doesn't support dot1x. For example printers or old devices
3 - VLAN with restricted access for guest.

Some questions:

With MARS and keep in mind user mobility (user that login in other computer and ISE assign the same VLAN in any place)
- What is the recomendation in computer authentication? Assign a vlan with restricted access to permit user to login?

New computers that not joined yet to AD.
- I can use MAB to authenticate the computer and permit again this restricted VLAN that have access to do the Active Diretory join?
This option need a plus effort, load MAC address to Endpoint Group

In the assumption that the computer is already authenticated:
- With this scenario of new computers. Can the IT department authenticate to the network using for example only a domin user (MAR)? i think yes if the policy is was machine authenticate or user

If the suplicant in Windows is configured to send AD user login automatically.
Is possible to authenticate a local machine user (not domain, admin local user in the computer)?

MAR is the simple way to do it without install Anyconnect but
What are the benefits of use EAP Chaining with Anyconnect?

 

Anyone has expirence about this escenario or similar? what are the best practices and the logical sequence of authentication.

 

How would you do?

 

Thanks in advance.

CCNP R&S, CCNP Security, CCNA CyberOps
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎06-17-2019 01:58 AM

Im not sure there is a best practice as there are many options , its rather what meets your corporate policy requirements.

 

With MARS and keep in mind user mobility (user that login in other computer and ISE assign the same VLAN in any place)
- What is the recomendation in computer authentication? Assign a vlan with restricted access to permit user to login?

** I would recommend using a dacl , that way you dont need to rely on vlan restrictions in your network.

 

New computers that not joined yet to AD.
- I can use MAB to authenticate the computer and permit again this restricted VLAN that have access to do the Active Diretory join?This option need a plus effort, load MAC address to Endpoint Group

** Again I recommend using dacl , using dvlan can be tricky as not all endpoints know how to release and renew ip address based on vlan change, make sure you understand the endpoint behavior when it comes to dvlans.

 

In the assumption that the computer is already authenticated:
- With this scenario of new computers. Can the IT department authenticate to the network using for example only a domin user (MAR)? i think yes if the policy is was machine authenticate or user

** You can set the supplicant to authenticate based on user/computer or both

 

If the suplicant in Windows is configured to send AD user login automatically.
Is possible to authenticate a local machine user (not domain, admin local user in the computer)?

** This wont work as its local to pc and AD does not know of local managed accounts so authentication would fail .

 

 

MAR is the simple way to do it without install Anyconnect but
What are the benefits of use Eap Chaining with Anyconnect?

** eap-chaining uses eap-fast protocol which most supplicants do not support natively hence the use of Anyconnect.

View solution in original post

1 Reply 1

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎06-17-2019 01:58 AM

Im not sure there is a best practice as there are many options , its rather what meets your corporate policy requirements.

 

With MARS and keep in mind user mobility (user that login in other computer and ISE assign the same VLAN in any place)
- What is the recomendation in computer authentication? Assign a vlan with restricted access to permit user to login?

** I would recommend using a dacl , that way you dont need to rely on vlan restrictions in your network.

 

New computers that not joined yet to AD.
- I can use MAB to authenticate the computer and permit again this restricted VLAN that have access to do the Active Diretory join?This option need a plus effort, load MAC address to Endpoint Group

** Again I recommend using dacl , using dvlan can be tricky as not all endpoints know how to release and renew ip address based on vlan change, make sure you understand the endpoint behavior when it comes to dvlans.

 

In the assumption that the computer is already authenticated:
- With this scenario of new computers. Can the IT department authenticate to the network using for example only a domin user (MAR)? i think yes if the policy is was machine authenticate or user

** You can set the supplicant to authenticate based on user/computer or both

 

If the suplicant in Windows is configured to send AD user login automatically.
Is possible to authenticate a local machine user (not domain, admin local user in the computer)?

** This wont work as its local to pc and AD does not know of local managed accounts so authentication would fail .

 

 

MAR is the simple way to do it without install Anyconnect but
What are the benefits of use Eap Chaining with Anyconnect?

** eap-chaining uses eap-fast protocol which most supplicants do not support natively hence the use of Anyconnect.

Customers Also Viewed These Support Documents