Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13797
Views
10
Helpful
8
Replies

ISE EAP-Chaining with machine, certificate and domain credentials

andrew.chappelle
Level 1
Level 1

‎01-28-2014 08:30 AM - edited ‎03-10-2019 09:19 PM

Good morning,

A customer wants to do the following for their corporate wireless users (all clients will be customer assets):

Corp. wireless to authenticate with 2-factor authentication:

  • •1. Certificate
  • •2. Machine auth thru AD
  • •3. Domain creds

When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.

Clients are Windows laptops and corporate iPhones.

Certs can be issued thru GPO and MDM for iPhones

Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread: https://supportforums.cisco.com/thread/2185627

My first question is: can this be done?

Second question: how would i implement this from an AuthC/AuthZ perspective?

Thanks in advance,

Andrew

1 person had this problem
Labels:
0 Helpful
8 Replies 8

rodrigo.cisco
Level 4
Level 4

‎01-28-2014 10:14 AM

You can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...

For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines (http://support.microsoft.com/kb/2743127/en-us). The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.

Good luck and keep in touch.

http://support.microsoft.com/kb/2743127/en-us
0 Helpful

srdjankatic
Level 1
Level 1
In response to rodrigo.cisco

‎03-24-2016 01:02 PM

Hi Rodrigo,

how did you solve problem where windows 7 is sending user "anonymous" on login? I have exactly the same problem, my ISE shows that credentials are actually anonymous!

Thanks

0 Helpful

blenka
Level 3
Level 3

‎01-29-2014 12:56 PM

Kindly go through the link may help you.

http://www2.uni-frankfurt.de/47587107/anyconnect31rn.pdf

0 Helpful

andrew.chappelle
Level 1
Level 1
In response to blenka

‎01-30-2014 09:36 AM

Thank you for the replies.

Going back to the customer, and they don't want to load any extra clients on their machines, so I have to work within the restrictions of the WIndows native supplicant.

Given that limitation, how can I authenticate/authorize against: machine auth in AD, user creds in AD, and a client cert (EAP-TLS).  The result should be: if the client passes all 3, then they are allowed on the network.

thanks in advance

0 Helpful

dal
Level 3
Level 3

‎01-30-2014 02:22 PM

Hi.

With Windows laptops, this shouldn't be a problem.

As I see it, 1 and 2 are the same thing; Machine Auth uses the machine certificate to authenticate. And to link the computer certificate against the proper computer in AD, you can go in to Administration -> External Identity Sources ->

Certificate Authentication Profile -> and check the box that says:

Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory. Then you must make a rule that matches something in your AD or in your certificate.

And to link the User against the Computer, you can add a rule that contains this:

Network Access:WasMachineAuthenticated Equals True.

Not sure how this will play out on mobile devices, though.

Alcides Miguel
Level 1
Level 1
In response to dal

‎08-25-2016 01:08 AM

Hello,

I know that this is a old thread but I'm dealing with an issue that a thought that you can help solving out.

I've deployed ISE 2.0 and I've create a policy to match the machine and user certificate but for some reason the computer certificate is being validated and the user certificate not.

and I'm receiving the following error:

Failure Reason

22056 Subject not found in the applicable identity store(s)

Resolution

Check whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped due to identity resoultion settings or if they do not support the current authentication protocol.

Root cause

Subject not found in the applicable identity store(s).

 

My client machine is Windows 7(with anyconnect installed) and I've an internal root CA.

Regards,

AM 

0 Helpful

dan.letkeman
Level 4
Level 4
In response to dal

‎06-28-2017 06:35 PM

I don't see how this would work with windows devices.  The native supplicant only authenticates with either the user or the machine.

Also, how would you setup the native supplicant to perform certificate based authentication for the machine and user based authentication for the user?  As far as I know you can't do PEAP-MSCHAPv2 & EAP-TLS at the same time with the native windows supplicant.

0 Helpful

KYAW ZIN OO
Level 1
Level 1
In response to dan.letkeman

‎11-07-2017 04:22 AM

@Let's your GPO to push down Machine Cert ( if this is windows env: )

 

@ISE,

1) Create Certificate Profile & add at Identity Source Sequence

2) Apply Identity Source at Authentication Policy

3) You need 2 rules at Authorization Policy

3.1 - 1st : get Machine authorized first.

3.2 - 2nd: WasMachineAuthenticated EQUALS True & get user authorized.

Customers Also Viewed These Support Documents