Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1535
Views
5
Helpful
5
Replies

Machine authentication using certificates + AD user/pass

Go to solution
balmain99
Level 1
Level 1

‎09-11-2017 06:10 AM - edited ‎02-21-2020 10:33 AM

For an environment with ISE 2.2 and external MS CA, can I use:

Machine certificates for authentication combined with AD user/pass for authorization ?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to balmain99

‎09-11-2017 11:25 AM

You can just use machine certificates, you just need to configure a Windows group policy to user machine only authentication. You could combine it with a user certificate (you would need to specify machine and user authentication in the group policy instead of machine authentication). Using user certificates does make deployment of certificates more complex, so using just machine certificates may makes things simplier

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎09-11-2017 10:36 AM

Hi,

 

If you use AnyConnect as the client supplicant, then yes you can use certificates for machine auth and username/password (PEAP/MSCHAPv2) for user auth. With Windows native supplicant you have to use either machine and user certificates or machine and user PEAP/MSCHAPv2.

 

HTH

0 Helpful

Go to solution
balmain99
Level 1
Level 1
In response to Rob Ingram

‎09-11-2017 11:02 AM

Hello, thanks for your message.

So if we leave the Anyconnect option out, there are two options If I decide to use machine certificate:

 

1) Machine + User certificate

2) Machine + PEAP/MSCHAP2

 

I actually thought option 1) required Anyconnect (or TEAP).

Kindly confirm option 1).

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to balmain99

‎09-11-2017 11:11 AM

I think you are referring to EAP-Chaining aka TEAP (AnyConnect only) this is when machine AND user authenticates are combined. So you can validate an authenticated user is permitted access from a device that was machine authenticated.

 

Windows native supplicant can individually authenticate a machine and user but these authentications are independant and cannot be easily combined...unless you use MAR, but that has it's downsides and can cause problems if a laptop moves between wired and wireless.

0 Helpful

Go to solution
balmain99
Level 1
Level 1
In response to Rob Ingram

‎09-11-2017 11:19 AM

Thanks a lot RJI.

So if I have a customer who:

- does not want Anyconnect or TEAP

- must use machine certificate

 

Can he just use machine certificate for wireless access ? Not so good an idea ?

 

Or what does he combine it with ?

 

Thanks again.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to balmain99

‎09-11-2017 11:25 AM

You can just use machine certificates, you just need to configure a Windows group policy to user machine only authentication. You could combine it with a user certificate (you would need to specify machine and user authentication in the group policy instead of machine authentication). Using user certificates does make deployment of certificates more complex, so using just machine certificates may makes things simplier

Customers Also Viewed These Support Documents