cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
921
Views
0
Helpful
12
Replies

Machine and User Cert Authentication

fatalXerror
Level 5
Level 5

Hi,

For the newer ISE, is it possible to have machine and user certificate-based authentication just using native windows supplicant? Thanks

12 Replies 12

Hi,
Yes, you can perform Machine and User certificate authentication using the Windows native supplicant.

HTH

@Rob Ingram , How do you instruct the windows native supplicant to have machine and user certificate authentication because all I can see there is "Computer or User Authentication"?

So to confirm, the native supplicant can do machine/user authentication, these are 2 independant authentications. If you want to tie these authentications together (EAP-Chaining) then @Mike.Cifelli is correct you'll need EAP-FAST with AnyConnect supplicant.

 

What exactly are you looking to achieve?

Hi @Rob Ingram , yes I want to be successful for both machine and user cert authentication before getting an access to the network. The windows native supplicant cannot do it?

Ok thanks for clarifying. The only other option (that I am aware of) is using MAR. This will combine both machine and user authentications. This useful link provides the pros and cons of using MAR, pay attention to MAR and Wired-wireless Switching section. I find this one of the main reasons not to use MAR.

 

 

HTH

Hi @Rob Ingram , thanks for providing the links and that section. I think it is not recommended to that in our environment much better if I advised my team to use NAM.

Using this NAM does not have any license dependencies right?

Hi,

Yes, use NAM would be recommended.

Nothing is ever free, AnyConnect licensing info here. Best you contact your Account Manager for further information.

 

HTH

Hi @Rob Ingram ,

I scrap the machine and user authentication design in my environment and I will be doing now just machine authentication.

Doing this kind of method, do I still need to reboot my machine every time I transfer connection from wired to wireless and vice versa?

Thanks

The native supplicant cannot do what you are trying to accomplish. You will need to use eap-fast so you can utilize eap-chaining. Eap-chaining will allow you to chain together both computer and user certificate authentication in one session. In order to configure, and deploy/use eap-fast you will need Cisco anyconnect client with the NAM module. This guide will better assist you:
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect46/administration/guide/b_AnyConnect_Administrator_Guide_4-6/configure_nam.html

HTH!

hi @Mike.Cifelli ,

If I use NAM module, there is no dependencies for the licensing right, this module is free? Also, if I use it then in a scenario of if my endpoint goes to sleep or goes for a logoff, does it still do machine and user authentication upon logging in or I still need to reboot my machine to initiate the machine authentication?

thanks

You are going to need ISE base licenses in order to support 8021x and radius sessions. Basically one user/host session equals one base license. Assuming you have a company contract with Cisco you can download the module free of cost. It will perform machine/user authentication upon logging in if that is how you want to configure it. I strongly suggest reading the guide I posted in a previous reply to gain a better understanding of your options. You will have several deployment options on how you want to utilize NAM. For example, you can configure single sign-on and enable port exceptions to attempt network connection prior to user logon so that the user doesnt have to initiate anyconnect once logged in. If you are looking for additional information in regard to how to setup your ISE authz polices you can find really good tutorials for free here: http://labminutes.com/video/sec
For example, one of the policy conditions you will end up utilizing will be eapchaining-result Equals (user pass|machine fail) and vice versa OR equals no-chaining. Then given the different eap-chaining outcomes you will be able to drive different network policy.

HTH!

Mike.Cifelli
VIP Alumni
VIP Alumni
As far as I know eap-chaining can be accomplished by using eap-fast or eap-teap. Pretty sure most windows native supplicants don’t support eap-teap yet which is the industry standard. If you want to use eap-fast you will need to use and implement Cisco anyconnect with the NAM module (network access manager).

HTH!