Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
728
Views
1
Helpful
4
Replies

ISE setup for Corp Wi-Fi with both user and machine auth

Go to solution
deyanpanchev2
Level 1
Level 1

‎03-29-2023 11:12 PM

General Info:

We would like to deploy two forms of checks for our Corporate Wi-Fi network. Ideally we want to authenticate and allow access only to corporate owned devices (windows laptop with machine certificates) with users from our AD, aka I want to do machine cert check and user/pass from AD check and if both are OK to allow the users to join. We do not want any none corporate device to be able to join purely with user/pass. Currently the setup is supported by old ACS, which we are replacing with ISE. The 2 Wi-Fi networks are as follows: Corporate SSID, works with EAP-PEAP and looks only at user/pass but does not provide any device check and we want only corporate owned devices to log in, and second Wi-Fi network is for mobile devices (tablets and phones), again corporate owned but not windows ones, have corporate certs and currently doing EAP-TLS with cert check for device.

 

Details: The environment – We have Cisco ISE 3.1 as VMs in HA, we have Meraki for Wireless, and Microsoft Supplicant for Corp, Anyconnect Supplicant for Mobile, AD for IdP and Local CA (MS). Cisco ISE has only the lowest level of licensing as of now – Essentials 

From what I read with Essentials we cannot look into the machine (aka running apps, registry, hostname etc) so we need to use certificate, however PEAP only cares about user and pass, and EAP-TLS does not check user/pass. 

More digging showed that we can either use EAP Chaining or MAR (Machine Access Restrictions).

Basically i would like help with determining the best way forward and any configuration guides or hints.

 

I would like to see your experience with the following:

Question 1: Is EAP Chaining the only option with the current certificates? We can see there is two supported EAPs for EAP Chaining, both using TLS Secure EAP, one is EAP-FAST with Chaining and the other (new one) is called TEAP. Are these the only ones? Any recommendations as per our setup?

Question 2: EAP-FAST with EAP chaining – can it check machine cert for device auth and then user/pass via internal MS-Chapv2 (same as in PEAP)? Can it run on our setup, Meraki for AP, ISE 3.1, and does it require only Cisco Anyconnect as Supplicant? What does it require as configuration (config on Meraki, config on ISE and config on Anyconnect maybe via Profiles) and can you provide an example config guides? Is this setup (EAP-FAST) stable and recommended? It is old but not very spread as usage, and I see reports of users complaining about stability and having to re-auth very often. The end customer is a high-value critical health care provider in UK, so we cannot offer a solution that is not stable.

Question 3: EAP-TEAP – can this do the job with our setup, auth based on machine cert for the device and based on user/pass from AD for the user? Is it better or recommended over EAP-FAST? Can Cisco Secure Client / Anyconnect support TEAP and from which version (I only saw example for doing it with MS Native Supplicant and not our Cisco Secure Client)? If that is the recommended approach, please help with config article links or pdf documents to configure all 3 types, Meraki, ISE and Anyconnect supplicant (profiles)?

Question 4: Would enabling MAR do the trick? Provided all machines are in the AD?

Question 5: Is there any better solution in terms of changes, stability and ease of implementation, even if it requires update of the license (and to which level)? Can you please recommend on how you will do it according to best practices and our environment and requirements outlined above.

Best Regards,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-30-2023 12:02 AM - edited ‎03-30-2023 12:42 AM

@deyanpanchev2 yes, EAP Chaining will meet your needs, using TEAP or EAP-FAST

EAP-FAST requires Cisco AnyConnect licensing to use NAM application as the native supplicant. EAP-FAST has been around for years and I've used in environments before, it works ok. You can use a combination of Machine Cert and Username/Password for users.

TEAP uses the built in native in Windows 10/11 supplicant, so you will not require additional anyconnect software & licensing. You can use a combination of Machine Cert and Username/Password for users. TEAP is still relatively new, but less cost and less mgmt overhead. I've rolled it out recently, it works as expected and has been reliable.

MAR is rarely used, it's not as good as the others. https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

TEAP or EAP-FAST is a better solution, I'd go with TEAP personally.

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎03-30-2023 12:02 AM - edited ‎03-30-2023 12:42 AM

@deyanpanchev2 yes, EAP Chaining will meet your needs, using TEAP or EAP-FAST

EAP-FAST requires Cisco AnyConnect licensing to use NAM application as the native supplicant. EAP-FAST has been around for years and I've used in environments before, it works ok. You can use a combination of Machine Cert and Username/Password for users.

TEAP uses the built in native in Windows 10/11 supplicant, so you will not require additional anyconnect software & licensing. You can use a combination of Machine Cert and Username/Password for users. TEAP is still relatively new, but less cost and less mgmt overhead. I've rolled it out recently, it works as expected and has been reliable.

MAR is rarely used, it's not as good as the others. https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

TEAP or EAP-FAST is a better solution, I'd go with TEAP personally.

Go to solution
deyanpanchev2
Level 1
Level 1
In response to Rob Ingram

‎03-30-2023 12:58 AM

Thank you, i will go in the TEAP direction.

Is this currently the most usable article on the config side: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

If not - can you share link or doc please? We are on 3.1 and things look differently.

Cheers,

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to deyanpanchev2

‎03-30-2023 01:05 AM

@deyanpanchev2 I think that's the most recent Cisco guide and ISE 3.1 hasn't changed significantly from 3.0, which was used in the guide. There isn't much to configure for TEAP, the guide above contains the correct information, as the same configuration and authorisation profile conditions are used.

0 Helpful

Go to solution
deyanpanchev2
Level 1
Level 1
In response to Rob Ingram

‎03-30-2023 04:06 AM

Cheers mate, got it to work with machine auth being OK, but we want both user and machine auth to happen, the user based on username/pass and the machine to be authenticated via certificate and only then the access to be given. In the Windows Supplicant i am seeing only the option OR (user or machine cert) and the example above seems to use certificate for both user and machine. I changed the supplicated to use as second method MSChapv2 but the user is never prompted to input creds? Any idea mate?

0 Helpful
Customers Also Viewed These Support Documents