04-29-2020 08:49 AM
At the moment we are doing EAP-TLS with machine based certificate authentication. As such in ISE radius live logs we see the machine name. There is a requirement to do user based firewall policies on Palo Alto with the radius log information passed from ISE. Since we are using machine certificates, it doesn't seem this will work without switching over to user certificates for EAP-TLS. Is my understanding correct? Or is there a trick to get the user identity information for these type of authentications? I ask because a user will login to windows using their AD account, so even though auth is done with the machine certificate, is there a way for ISE to see the windows login account?
This is what we see in the radius live logs, showing the machine name for identity.
Solved! Go to Solution.
04-29-2020 03:36 PM
You are already using 802.1X, but perhaps there is a way to leverage ISE EasyConnect feature (read about it here) to link ISE to AD, and when user has logged in, then a WMI event is sent to ISE (which should also be available as a SYSLOG that your Palo Alto can consume).
Doing Machine + UserAuth using the native Windows Supplicant is also possible - but it's fraught with issues/limitations about switching between wired/wireless, and machines waking up from sleep, MAR cache, etc. All these issues are apparently resolved with TEAP (Tunneled EAP) - it's available in ISE 2.7 and Windows 10 Insider Preview.
04-29-2020 03:36 PM
You are already using 802.1X, but perhaps there is a way to leverage ISE EasyConnect feature (read about it here) to link ISE to AD, and when user has logged in, then a WMI event is sent to ISE (which should also be available as a SYSLOG that your Palo Alto can consume).
Doing Machine + UserAuth using the native Windows Supplicant is also possible - but it's fraught with issues/limitations about switching between wired/wireless, and machines waking up from sleep, MAR cache, etc. All these issues are apparently resolved with TEAP (Tunneled EAP) - it's available in ISE 2.7 and Windows 10 Insider Preview.
04-29-2020 10:33 PM
Hi @Arne Bier, I wasn't aware of EasyConnect, but definitely something that would work for us as an alternative. Thanks for the suggestion! Yeah didn't plan on trying with the windows supplicant.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide