Solved: Re: ISE with PCoIP

kris26 · ‎10-27-2023

Hello,

One of my client use PCoIP in 70% of institution. They use one terminal with PCoIP to multi user. I am trying to develop a NAC solution which give dynamically vlan and dACL depending on the user which logs. The problem is that terminals support 802.1x only EAP-TLS. I can upload certificate for a maschine but there is a lot removals between buildings with terminals and one day terminal is used by group from IT and another from financial. So I wants to identity users by AD groups. There is any possibility for that with EAP-TLS.

Thanks,Kris

kris26 · ‎10-29-2023

Thanks for your reply.

I thought so too, but I wanted to create a case to confirm. I was hoping
there would be some solution by ise with guest portal od something like that. I read a vendor documentation and a only way is to add a proxy server which support EAP-PEAP or EAP-MSCHAPv2.

View solution in original post

M02@rt37 · ‎10-28-2023

Hello @kris26,

EAP-TLS is primarily a machine-level authentication method that relies on client certificates to authenticate the device rather than individual users. It doesn't inherently support user-based authentication or AD group identification like some other EAP methods (e.g., EAP-PEAP or EAP-TTLS) might. However, there are ways to achieve user-based access control and dynamic VLAN assignment with EAP-TLS if you can't change the authentication method.

While EAP-TLS doesn't inherently support AD group identification, you can configure your NAC solution to dynamically assign VLANs and dACLs based on attributes passed during authentication. This can be based on a combination of certificate attributes, MAC addresses, and other criteria. You would need to ensure that your NAC solution supports this level of customization.

I wonder if when you configure the RADIUS server for EAP-TLS, you could configure it to examine certificate attributes for specific information. While this doesn't directly map to AD group membership, you could include information in the user or machine certificates that distinguishes the users, such as OU or other attributes.... You should then configure policies in your NAC solution to match those attributes to dynamically assign VLANs and dACLs....

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

kris26 · ‎10-28-2023

My NAC support this level of customization and I can configure it to
examine certificate attributes for specific information but that not
resolve my problem because I would have to upload certificate all employees
to each terminal.... And I wonder that I could give some guest vlan for
maschine and after that use some AD groups identification...

M02@rt37 · ‎10-28-2023

Thanks for your feedback @kris26.

Use EAP-TLS for initial machine authentication, which assigns a machine-specific certificate to the terminal. This certificate can be used to provide network access for the terminal, and it can be placed in a guest VLAN as a starting point.

After the terminal has network access, users can log in to the system. At this point, you can use another method for user authentication, such as EAP-PEAP or EAP-TTLS, that supports user-based authentication and AD group identification. Once the user has authenticated successfully, you can reassign them to the appropriate VLAN and apply the relevant dACL based on their AD group memberhip.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

kris26 · ‎10-28-2023

Thanks for your help.

It will be perfect solution for me but I don't know how to use another
metod for user authentication because I connect by PCoIP to server where is
my profile. When I AM in guest vlan i log to my profile in sever and now
somehow i have to another auth on server which support EAP-PEAP.

Greg Gibbs · ‎10-29-2023

@kris26, I do not believe what you are trying to do is possible. EAP is a Layer2 protocol that happens between the client supplicant and the switch. In this case, the supplicant is controlled by the thin client, which likely has no way to capture user credentials to initiate an 802.1x user session using EAP (you would need to confirm that with the vendor).

With this type of thin client scenario, you can typically only authenticate the machine via EAP-TLS at the point of access (the switch). Any user-based authentication/authorization would have to happen upstream in the VDI infrastructure of software.

kris26 · ‎10-29-2023

Thanks for your reply.

I thought so too, but I wanted to create a case to confirm. I was hoping
there would be some solution by ise with guest portal od something like that. I read a vendor documentation and a only way is to add a proxy server which support EAP-PEAP or EAP-MSCHAPv2.