Solved: ISE User device binding with 802.1x.

Dmitry Kazakov · ‎02-12-2018

Good day team.

My customer asks if it's possible to bind a user to his particular AD-registered PC?

So only users accessing network using their own domain PC are allowed, other quarantined.

Machines and Users are authenticated using 802.1x with certificates.

Best regards,

Dmitry Kazakov.

kthiruve · ‎02-12-2018

Hi Dmitry,

There are few things you can do if you want to bind user and machine.

1. ISE has something called Machine access restriction cache, that remembers the mac address of the machine when it authenticates and use that for user authentication.But it has a few caveats where it could break if you move between wired/wireless and couple of other things.

2. You could use EAP-chaining that is part of Anyconnect NAM that binds the user and machine in the same session and has different ways of authorizing the user + machine based on its auth success or failure.

3. You can use AC posture to identify a registry key, asset tag that identifies a machine. You can use this in combination with 802.1x authentication.

These are some of the ways to bind user and machine. The second option is the best from a security standpoint.

Thanks

Krishnan

View solution in original post

kthiruve · ‎02-12-2018

Hi Dmitry,

There are few things you can do if you want to bind user and machine.

1. ISE has something called Machine access restriction cache, that remembers the mac address of the machine when it authenticates and use that for user authentication.But it has a few caveats where it could break if you move between wired/wireless and couple of other things.

2. You could use EAP-chaining that is part of Anyconnect NAM that binds the user and machine in the same session and has different ways of authorizing the user + machine based on its auth success or failure.

3. You can use AC posture to identify a registry key, asset tag that identifies a machine. You can use this in combination with 802.1x authentication.

These are some of the ways to bind user and machine. The second option is the best from a security standpoint.

Thanks

Krishnan

Dmitry Kazakov · ‎02-13-2018

Good day, Krishnan.

If we are using a second way with EAP-Chaining, as I understand we may check that user authentication session is using same EAP session from same machine which issued Machine Auth part, but are we able to bind user authentication to a particular machine only, so the user is able to access from only one machine, his own?

I mean the case when user may login not using each and every domain computer, but user JSMITH may logins from a PC with hostname (or certificate subject containing): WS-JSMITH.

Best regards,

Dmitry Kazakov.

От: Krishnan Thiruvengadam <community@cisco.com>

Обратный адрес: "jive-354007063-2srr-2-61ig@cisco-marketing.hosted.jivesoftware.com" <jive-354007063-2srr-2-61ig@cisco-marketing.hosted.jivesoftware.com>

Дата: вторник, 13 февраля 2018 г., 9:47

Кому: Dmitry Kazakov <dkazakov@cisco.com>

Тема: Re: - ISE User device binding with 802.1x.

Cisco Communities <https://communities.cisco.com/>

ISE User device binding with 802.1x.

reply from Krishnan Thiruvengadam<https://communities.cisco.com/people/kthiruve> in Technology > Security > Policy and Access > Identity Services Engine (ISE) - View the full discussion<https://communities.cisco.com/message/281896#281896>

howon · ‎02-13-2018

Dmitry, two ways I can think of. Both requires ongoing maintenance of user to device mappings. First method uses User to PC names while the second method uses User to MAC address mappings.

Native Windows capability: In AD user object there is ‘Log on to’ option to restrict access to devices user can login to. You can list PCs that user owns, but be mindful that when user authenticates through ISE via 802.1X, you may also need to add ISE hosts in to the allowed computers list as well

Using MAC addresses: You can have ISE reference AD attribute to compare allowed MAC addresses. See example here: Dynamic Attribute with ISE: MAC Address Matching