Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1343
Views
0
Helpful
2
Replies

ISE - Machine + user authentication

Tim Lewis
Level 1
Level 1

‎12-11-2012 07:52 AM - edited ‎03-10-2019 07:53 PM

I've searched forum, community but I couldn't find exactly what I need:

I have a client that want's to use two step authentication on wireless: first machine authentication to make sure that device is on the domain and then username/password authentication.

Now, I've read about MAR, EAP chaining, and I understood it all, only thing I didn't understand is:

If I configure ISE to authenticate machine, it will allow limited access to DC (for example).

Then, after that AuthZ profile is applied, what will do new authorization? My understanding is once MAR is done, AuthZ profileis applied and authorization is finished.

Now, I am not asking about turning on laptop, getting PC on the network, then logging in and then providing the user/credentials, etc. I am asking for this scenario:

How ISE policy and AuthZ profile should look like, for example, I come in the office, my wireless card is disabled, I login to my laptop, then I notice that my wireless card is disabled and now I enable it. I need to have Machine authentciation happening at that point + prompting user for username/password to complete registration on wireless.

NAM is already refused by client, so I need something that will work on plain Windows 7.

Thanks.

Labels:
0 Helpful
2 Replies 2

petermitchell
Level 1
Level 1

‎12-11-2012 11:28 PM

Dunno if I understand exactly what your asking.

MAR is based on MAC address.  So wired auth will be treated seperately to wireless auth. 

I don't know if you turn on wifi after login whether it will do both machine and user.  I know coming out of hiberation doesn't trigger machine auth on native supplicant.

If wired and wireless connections are active at the same time and auto metric is ticked, windows will route remote traffic out the fastest interface (eg 300meg wireless beats 100meg wired)

Regarding Policy

Machine auth - Authz give a sniff of the network for logon.

User auth with previous machine auth - give more access (suggest dACL better than vlan change)

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎12-12-2012 11:02 AM

Hello Align-

In your post you are referring to two completely separate and independent solutions:

1. MAR

2. EAP-Chaining

MAR only happens when the machine first boots up and the host presents its machine domain credentials. Then the machine MAC address is saved in ISE. The MAC is preserved in ISE as long as configured in the machine timer. Keep in mind that if let's say a computer was booted while connected on the wired network, only that MAC address will be authenticated. If the user moves to wireless, the connection will be denied as ISE will not have any records of the wireless MAC. Along with all of that, you will need another method (usually PEAP) to perform the user authentication. Usually this method is not a very good one to implement due to the issues listed

EAP-Chaining on the other hand utilizes EAP-FAST and it s a multi-phase method during which both machine and user information is passed in a secured TLS tunnel. For that you need to implement Cisco AnyConnect as it is the only software supplicant that supports it at the moment. For more info you might wanna look into Cisco's TrustSec guide:

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf

I hope this helps!

Thank you for rating!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents