cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
927
Views
3
Helpful
5
Replies

Machine only access in case of Eap-Chaining

sameesin
Cisco Employee
Cisco Employee

Hi Experts,

In case when we are implementing Eap-Chaining on windows machine, are the credentials sent to ISE when the machine boots up or is it only after the user enters the credentials that both the credentials are sent together.

My customer's ask is that, they will need access to the machine in case the user's AD password has expired. If the access is provided as a result of eap-chaining success then how will the AD access the machine.

Can we identify if the machine is domain machine even with eap-chaining on?

Any leads will be helpful.

Thanks.

5 Replies 5

ognyan.totev
Level 5
Level 5

In mine deployment  , i did the following :

No mater Domain Computer or not first time plug in network it will give access to this PC only to can take IP and to be joined in Active directory and to one terminal server to can debug problematic PC's thats all.

Second if computer is part of domain and user is part of domain it will give them proper rights.

In mine deployment they receive Group policy from AD ,this policy is configured to remind the users to change them passwords because will expire soon ,But if someone not change it and it expire i can connect to this PC from mine terminal server as i told above.

Will this work in case of eap-chaining? As both machine and user credentials will be sent together to the ISE.

Is this understanding correct

Yes must be work ,and yes i understand your question .

But maybe if you have to make one more rule in ISE ,machine will be always ok but here the problem will be the user credentials . Thats why you can make some rule in ISE :

Network Access:EapChainingResult Equals: User failed and machine succeeded

than permit correctly IP addresses to can change Password

Thanks. I will try this in my lab and test it out.

Damien Miller
VIP Alumni
VIP Alumni

Hello Sameer,

As indicated by Ognyan, you will need to create a rule in your dot1x policy set that matches machine success user fail. This is a pretty common ask and you will be able to get it to work. 

What I see most often is companies issuing machine certificates via GPO from their MSPKI infrastrucutre, authenticating on the machine cert with a user fail.  When the machine boots up NAM will authenticate with the machine cert and the user component will fail.  When the user logs in NAM will reauth with the cert and AD credentials. 

Ognyan also started on a common issue once you have moved beyond monitor mode dot1x, how will the PC techs provision new computers?  If the computer is not yet joined to the domain, most companies don't want to treat it as a corporate asset granting networking access.  Some implementations might elect to have secure ports within the PC tech areas that are exempt from dot1x, others might whitelist usb nics for the techs.  Ognyans method sounds like he is using a DACL to restrict access for the basic provisioning.  The method you approach this additional challenge with will greatly depend on the environment requirements. 

Something that can also be helpful but doesn't always fly with the security folks.  You can create a mab policy that matches a profile for domain joined pcs.  Leveraging the hostname you get with the profiling information you can perform look ups in AD and verify if the machine is domain joined. This can be helpful if NAM has problems or NAM hasn't been pushed to all domain machines.  This doesn't help you onboarding new machines to the network since they wont be domain joined, but it does allow the help desk access to the machines while they figure out why the machine is not passing dot1x.