Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12466
Views
35
Helpful
7
Replies

ISE Machine Authentication

Go to solution
Ricky Sandhu
Level 3
Level 3

‎01-02-2019 05:54 PM

Hey everyone, Happy New Year!

My question has to do with Windows Machine Authentication.  I understand the in's and out's of how 802.1x works but having some confusion about the actual authentication of the machine.  My understanding is, when a machine joins AD, an account is created and credentials are stored on the machine.  After this, each time machine is rebooted, machine authentication takes place (before user authentication).  What if I am using a wireless SSID that authenticates users via 802.1x (PEAP).  This means wireless connection won't come up, until a user provides his/her credentials.  How does the machine authenticate itself to the domain even if the user is not logged into the computer and no IP address is assigned to that computer.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-03-2019 12:21 AM

Client IP address isn't required for PEAP authentication whether its wired
or wireless.

* Outer channel of EAP is established as part of SSID handshake similar to
wired connection.
* Next username/password for user authentication or machine-name/password
for machine authentication is encapsulated in EAP messages (inner channel)
* The credentials are exchanged with AP using EAP message, AP encapsulate
the messages over CAPWAP and sends them to WLC (this is using AP and WLC IP
addresses)
* Finally WLC decap CAPWAP messages and forward the EAP messages to ISE
using WLC/ISE IPs. ISE will decapsulate the messages to obtain name and
password for user or machine.

This is the same concept in wire. You can see that for entire handshake,
client IP isn't required. For WiFi, EAP handshake is part of joining SSID
and if it fails, SSID joining will fail.

Hope its clear.

**** Please remember to rate useful posts

View solution in original post

7 Replies 7

Go to solution
pan
Cisco Employee
Cisco Employee

‎01-02-2019 10:54 PM - edited ‎01-02-2019 11:10 PM

Is your SSID configured for dot1x? If yes then wireless NIC setting need to be changed as below:

wireless machine auth1.pngwireless machine auth2.png

 

wireless machine auth3.png

wireless machine auth4.png

 

Now change the setting for dot1x to user or machine auth.

 

wireless machine auth5.png

Go to solution
paul
Level 10
Level 10
In response to pan

‎01-03-2019 05:54 AM

You would almost never want to do PEAP computer or user authentication as shown using the Windows Native supplicant.  As mentioned if you set the supplicant for computer only you are ensuring the device is domain joined and thus a company asset.  If you allow the supplicant to transition to user authentication using PEAP you are losing the fact that the user is on a company asset.  You can use profiling/MAR cache to help determine the user is still on a company asset but each of those have their own pit falls.

 

 

Go to solution
Sheraz.Salim
VIP
VIP
In response to paul

‎01-03-2019 06:29 AM

@paulhow about passive-id and which you recommand would be more beneficial

 

1. profiling with AD, DNS, DHCP, HTTP, RADIUS

2. passive-id

3. if using posture, than HTTP and DHCP

 

 

please do not forget to rate.
0 Helpful

Go to solution
Ricky Sandhu
Level 3
Level 3
In response to paul

‎01-03-2019 10:30 AM - edited ‎01-03-2019 10:33 AM

Big thanks to everyone who responded but Mohammed hit the nail right on the head for this one.  Thank you!



0 Helpful

Go to solution
nithinrs78901
Level 1
Level 1

‎01-03-2019 12:08 AM

If you are using winidws 10 or 8 operating system,you should change the registry value.

 

Windows 8/10 Registry Changes for 802.1x Authentication

 

  1. Press the Windows logo Key+R to open the Run box.
  2. Type regedit in the Run box, and then press Enter.
  3. Locate and then select the following registry subkey:

                HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

  1. On the Edit menu, click New, and then click DWORD (32-bit)
  2. Type LsaAllowReturningUnencryptedSecrets, and then press Enter.
  3. Right-click LsaAllowReturningUnencryptedSecrets, click Modify…, type 1 in the Value data box, and then click OK.
  4. Exit Registry

 

NOTE: No registry changes for windows 7

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-03-2019 12:21 AM

Client IP address isn't required for PEAP authentication whether its wired
or wireless.

* Outer channel of EAP is established as part of SSID handshake similar to
wired connection.
* Next username/password for user authentication or machine-name/password
for machine authentication is encapsulated in EAP messages (inner channel)
* The credentials are exchanged with AP using EAP message, AP encapsulate
the messages over CAPWAP and sends them to WLC (this is using AP and WLC IP
addresses)
* Finally WLC decap CAPWAP messages and forward the EAP messages to ISE
using WLC/ISE IPs. ISE will decapsulate the messages to obtain name and
password for user or machine.

This is the same concept in wire. You can see that for entire handshake,
client IP isn't required. For WiFi, EAP handshake is part of joining SSID
and if it fails, SSID joining will fail.

Hope its clear.

**** Please remember to rate useful posts
Customers Also Viewed These Support Documents