ISE EAP-TLS without user certificate - only machine certificate

Stiva · ‎02-19-2024

Hi all,

I am in the process of configuring corporate WiFi with the following setup:

ISE 3.1 with a premium license, and a WLC Catalyst 9800-L
Windows 10 laptops joined to a domain, featuring duo authentication without user certificates
The laptops are equipped with machine certificates

Our intention is to employ EAP-TLS as the primary(only) EAP method. According to RFC 5126 (RFC 5216 - The EAP-TLS Authentication Protocol (ietf.org)), it should be feasible to implement this setup as follows:

"The certificate_request message is included when the server desires the peer to authenticate itself via public key. While the EAP server SHOULD require peer authentication, this is not mandatory, since there are circumstances in which peer authentication will not be needed (e.g., emergency services), or where the peer will authenticate via some other means."

-------------------------

However, under “Policy > Policy Elements > Results > Authentication > Allowed Protocols” in ISE, the configurations for EAP-TLS seem not to mention the user certificate in any way.

Could you advise if it's possible to configure ISE to utilize EAP-TLS without user certificates? Is there another setting that would allow for this configuration?

While I'm aware that TEAP could be used for machine authentication via certificate and user authentication with a username/password, I'm curious if there's a way to authenticate users with EAP-TLS without user certificates using ISE and Windows 10 machines.

Thank you in advance for your assistance.

Best regards,

Stiva

Rob Ingram · ‎02-19-2024

@Stiva you would need to configure the windows supplicant (manually or via GPO) to perform machine authentication only using certificates, therefore user authentication will not be performed.

You can use PEAP/MSCHAPv2 to authenticate the users without a user certificates, the windows supplicant will need to be configured to specify which method to use. Certificates is the recommended authentication method nowadays, not PEAP/MSCHAPv2.

Stiva · ‎02-19-2024

@Rob Ingram thank you for replay. My understanding that adjustments need to be made on the ISE stems from these specific excerpts from the RFC:

"The certificate_request message is included when the server desires the peer to authenticate itself via public key. While the EAP server SHOULD require peer authentication, this is not mandatory, since there are circumstances in which peer authentication will not be needed….
…
If the EAP server sent a certificate_request message in the preceding EAP-Request packet, then unless the peer is configured for privacy (see Section 2.1.4) the peer MUST send, in addition, certificate and certificate_verify messages.

Based on this, I deduced that the server's default behavior involves sending a certificate_request, and the client is obligated to respond with its own certificate. Therefore, it seems logical that there should be a configuration option within the ISE server settings to either send or not send the certificate_request, aligning with the notion that peer authentication, while recommended, is not strictly mandatory and can be adjusted based on specific scenarios or requirements.

I'm interested in understanding if and how this configuration can be achieved within the ISE to facilitate the desired authentication flow without necessitating user certificates.

Thank you once again for your insights.

Best regards, Stiva

Stiva · ‎02-20-2024

There may be aspects I'm not fully aware of. It seems that once network connectivity has been established via machine authentication, user authentication and authorization might not rely on EAP, but could instead be managed through Kerberos. This leads to my uncertainty on how ISE would detect and process this form of authentication for subsequent authorization decisions.

Aref Alsouqi · ‎02-20-2024

Hello Stiva. It all depends on how you configure ISE to serve the authentication and authorization rules. Here is an overview of what would be required:

- EAP-TLS requires mutual authentication, which means both ISE and the endpoints will need to authenticate each other. This requires ISE to have the issuer certificate of the endpoints identity certificates imported and ticked to be used for clients authentication. From the endpoints perspective, same should happen. However, if ISE EAP authentication certificate is issued by the same issuer as the endpoints, then the endpoints would have that certificate already installed in the certificates store as a trusted root CA.

- ISE needs to be connected to your domain controller and the AD groups that will be used for authentication, whether machine or user authentication need to be "activated" in ISE. Those groups would then be referenced in the authorization rules.

- ISE needs to be configured with a certificate authentication profile that will be configured with the identity attribute that need to be parsed from the certificate, and relayed to your AD.

- ISE needs to be configured with one or more authentication rule that will be responsible to authenticate the machines or users. From ISE perspective, the authentication rule could be as simple as saying look at dot1x requests, certificate validity, issuer, and identity via checking against the certificate authentication profile. This applies to the machines authentication or users, no difference at this stage. The allowed protocols profile needs to have EAP-TLS enabled. From the profile or ISE perspective enabling the EAP-TLS protocol doesn't dictate if the authentication requests will be coming from a user or a machine, no distinction at that stage.

- ISE needs to be configured with one or more authorization rule that will be responsible to authorize the machines or users sessions. The authorization rules usually would look at the AD groups, and here is the bit of config where you say I want to look at the machines AD group or at the users AD group. However, from ISE perspective it doesn't really make much of a difference.

- The network devices such as switches or WLCs need to be configured to relay the authentication requests to ISE and they need to be added into ISE as part of the initial build.

- The endpoints supplicants need to be configured to do machine or users authentication. That also is another bit where you decide if you want to do machine or users dot1x.

Stiva · ‎02-23-2024

Dear @Aref Alsouqi

Thank you for your insightful and detailed response.

As I grasp it, for machine authentication/authorization, we can deploy 802.1x+EAP-TLS with a certificate. This approach negates the necessity for a second 802.1x authentication for users. Therefore, user authentication/authorization would rely on the connectivity secured through the machine's authentication/authorization process. A user might be authenticated/authorized through AD using Kerberos. The WLC would then communicate the user's authentication details to the ISE, which in turn verifies these details with AD (this part is still blurry for me about how authentication packets end up on ISE on network layer).

Aref Alsouqi · ‎02-23-2024

When you configure the network devices such as switches and WLCs you set the RADIUS server to be ISE. What those networks devices will do then is relaying the authentication requests coming from the machines or users to ISE. Between the machine or users EAPoL will be used, and between the network devices and ISE RADIUS will be used. Then once ISE has done its bits including checking with the AD the identity presented into the authentication request, ISE will then send RADIUS attributes back to the network devices with the actions that should be applied. The network devices finally apply those actions to the sessions.