cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
950
Views
15
Helpful
1
Replies

Machine Cert + Username Lookup

greg2.0
Cisco Employee
Cisco Employee

A customer is trialing ISE and has successfully configured AD machine certificate authentication for their corporate AD endpoints. The issue they are having is the lack of username (employee userid) data within ISE when using machine certificates for troubleshooting and searching the logs.

What are the possible and recommended ways of obtaining user ID info for machine authenticated sessions so that it is available via search within ISE?

Is it possible (i.e. via Microsoft GPO) to configure the Microsoft supplicant to use both machine and user certificates but only have ISE use the machine certificate for authorization and somehow just obtain the user data to add it to the machine auth session data? EAP-chaining is not of interest to customer.

Is passive ID an option to add the user data to the machine authenticated session data? Combining 802.1x with passive ID without authorizing the passive ID,  just adding user data to the existing machine session.

 

The passive ID mechanism seems the most likely to work, but just want to confirm that I'm not missing something obvious.

 

Thanks!

 

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

You already listed out all the possibilities I can think of.

Using Microsoft native 802.1X supplicant to perform user or computer auth, the session will appear with only the user info once the user logs in. In case to the customer wanting only domain joined computers, then we may potentially use MAR and authorize the user only if the session has been machine authenticated, by conditioning on "Network Access·WasMachineAuthenticated Equals True".

Yes, PassiveID is an option to capture the last logged-in user and it should work as you described. As this is somewhat a new feature, I would suggest to test it thoroughly before deploying it to production.

View solution in original post

1 Reply 1

hslai
Cisco Employee
Cisco Employee

You already listed out all the possibilities I can think of.

Using Microsoft native 802.1X supplicant to perform user or computer auth, the session will appear with only the user info once the user logs in. In case to the customer wanting only domain joined computers, then we may potentially use MAR and authorize the user only if the session has been machine authenticated, by conditioning on "Network Access·WasMachineAuthenticated Equals True".

Yes, PassiveID is an option to capture the last logged-in user and it should work as you described. As this is somewhat a new feature, I would suggest to test it thoroughly before deploying it to production.