Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1692
Views
5
Helpful
2
Replies

Machine and User Auth wireless?

Go to solution
bhartsfield
Level 1
Level 1

‎12-21-2021 07:51 PM

I have a request on an ISE 3.0 setup to use AD authentication on wireless 802.1x (5520 WLC) to specicify specific ACLs but also only allow access from corporate machines so a user can't pull up their ipad and enter in their AD credentials. 

From my research it seems this is only possible if use the anyconnect NAM which we would prefer not to do.

So are there any options to do Cert machine Auth AND then user AD auth to for ACL application using ISE 3.0?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎12-22-2021 02:49 AM

@bhartsfield

You can do combine machine and user authentication using the relatively new TEAP protocol, assuming your computers are using Window 10 build 2004.

 

Reference:- https://community.cisco.com/t5/security-documents/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289

 

View solution in original post

Go to solution
Arne Bier
VIP
VIP

‎12-22-2021 01:01 PM

Hello @bhartsfield 

 

If EAP-TEAP or NAM is not an option then perhaps there is another way:

 

1) If the corporate machines are domain joined, then you could use Group Policy to push a machine cert to the AD joined devices, and push a profile that connects to the corp SSID using that cert. On the ISE Wireless 802.1X Policy Set, create a new "Allowed Protocols" where only EAP-TLS is ticked. That will ensure that corp devices MUST use certificates to connect - clients who don't have certs won't have a chance on the corp SSID.

2) Allow EAP-PEAP, but check whether the user is a member of Domain Computers in the Authorization. Only domain joined computers will be members. Regular users will fail that check on the corp SSID.

3) Create a separate SSID for employees to connect to, using their AD creds. Apply the VLAN/ACL as required.

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎12-22-2021 02:49 AM

@bhartsfield

You can do combine machine and user authentication using the relatively new TEAP protocol, assuming your computers are using Window 10 build 2004.

 

Reference:- https://community.cisco.com/t5/security-documents/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289

 

Go to solution
Arne Bier
VIP
VIP

‎12-22-2021 01:01 PM

Hello @bhartsfield 

 

If EAP-TEAP or NAM is not an option then perhaps there is another way:

 

1) If the corporate machines are domain joined, then you could use Group Policy to push a machine cert to the AD joined devices, and push a profile that connects to the corp SSID using that cert. On the ISE Wireless 802.1X Policy Set, create a new "Allowed Protocols" where only EAP-TLS is ticked. That will ensure that corp devices MUST use certificates to connect - clients who don't have certs won't have a chance on the corp SSID.

2) Allow EAP-PEAP, but check whether the user is a member of Domain Computers in the Authorization. Only domain joined computers will be members. Regular users will fail that check on the corp SSID.

3) Create a separate SSID for employees to connect to, using their AD creds. Apply the VLAN/ACL as required.

 

0 Helpful
Customers Also Viewed These Support Documents