cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1559
Views
5
Helpful
2
Replies

ISE - EAP Chaining (TLS vs MSCHAP)

mitchell helton
Level 1
Level 1

Good morning!

 

I'm having a tough time wrapping my brain around something, and hope you experts can help.  I also hope this isn't too vague of a question, and if it is, I can give specifics around why I'm asking. 

 

If I'm deploying user certificates via AD/GPO, is there any value in using certificates (EAP-TLS) for user authentication?  If someone captures a username/password, once they login as that user the certificate will be deployed to them any way.

 

Am I missing something?  I had originally wanted to do EAP chaining with TLS for user and machine and now I'm wondering if using TLS for machine and MSCHAPv2 for the user makes more sense.

 

So, I guess my question is, what value does TLS for user authentication have within chaining as opposed to MSCHAPv2?

 

Thank you!

 

mitch

1 Accepted Solution

Accepted Solutions

Hi,
Using User Certificates for authentication in some environments can be a pain E.g. multiple users logging in and out of the same computer.

I don't see any issue using EAP Chaining (EAP-TLS for Computers and PEAP/MSCHAPv2 for User authentication). As long as the ISE rule is configured specifically = if User and Computer passed authenticiation then permit. If computer authentication fails but user authentication passes, either deny or limit the access with a DACL/TrustSec SGT etc.

HTH

View solution in original post

2 Replies 2

Hi,
Using User Certificates for authentication in some environments can be a pain E.g. multiple users logging in and out of the same computer.

I don't see any issue using EAP Chaining (EAP-TLS for Computers and PEAP/MSCHAPv2 for User authentication). As long as the ISE rule is configured specifically = if User and Computer passed authenticiation then permit. If computer authentication fails but user authentication passes, either deny or limit the access with a DACL/TrustSec SGT etc.

HTH

That sounds reasonable to me.  Thanks so much for the input and advice!