Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
0
Helpful
6
Replies

Machine + user Auth/Authorize based only on AD

Go to solution
SorinPopa
Level 1
Level 1

‎05-29-2024 03:58 AM

Hello,

I'm searching a method of NAC implementation in a scenario using only AD (client doesn't have CA for generating certs yet) for Wired.

1st do -> Machine (Windows10) autentication with AD (Domain Computer).

2nd do -> User Auth + Authorize with dynamic Vlan x.

 

I'm not pretty sure how to configure this on ISE. There will 2 rules under Authorization? How can I tie this order together?

Also I want the user to enter the credential only one time, when he log on the station, i guess enable single sing on should be checked.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎05-29-2024 04:36 PM

Use TEAP as the authentication protocol to provide both machine + user credentials at the same time.

See ISE Authentication and Authorization Policy Reference > TEAP-Chaining with Tunneled EAP (TEAP) for a policy example.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
ahollifield
VIP
VIP

‎05-29-2024 04:58 AM

Why doesn't the client deploy a PKI/CA?  What is the use-case for changing VLANs?  PEAP is broken from an encryption standpoint and should no longer be used.  Credential Guard in newer versions of Windows disables PEAP.

0 Helpful

Go to solution
SorinPopa
Level 1
Level 1
In response to ahollifield

‎05-29-2024 05:15 AM

Hello,

The client does not have the technical capability to implement right now a PKI/CA. The use case for changing vlans is for network segmentation for the departments like Sales, Marketing, IT, etc. Each OU group from AD with a different vlans so that we can deploy firewall rules on top. 

 

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to SorinPopa

‎05-29-2024 05:31 AM

The client should hire their preferred partner of choice to help them implement a PKI instead.

VLAN use-case makes sense if this for upstream firewall rules and should work fine for devices with a supplicant. I would also consider looking at SGTs instead of VLAN changes and using an SGT aware firewall to enforce instead. Just be wary about changing VLANs where clients are not aware a VLAN change has occurred and must request a new DHCP address post VLAN change.
0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎05-29-2024 04:36 PM

Use TEAP as the authentication protocol to provide both machine + user credentials at the same time.

See ISE Authentication and Authorization Policy Reference > TEAP-Chaining with Tunneled EAP (TEAP) for a policy example.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎05-29-2024 05:30 PM

Just be aware that, while using TEAP with an inner method of MSCHAPv2 is possible, you will need to ensure that Credential Guard is disabled in order for MSCHAPv2 to work as @ahollifield pointed out earlier.
https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues

Credential Guard was implemented to mitigate specific vulnerabilities (such as pass-the-hash), so a better option would be to move to certificate-based authentication methods like EAP-TLS (as recommended by MS). Microsoft is actively moving to disable support for weak protocols, so I would not be surprised if they remove the ability to disable Credential Guard in the future.

0 Helpful

Go to solution
SorinPopa
Level 1
Level 1

‎05-29-2024 11:13 PM

Ok, thank you very much guys for all the usefull information. I will try it and speak with the customer to migrate to PKI/CA asap.

0 Helpful
Customers Also Viewed These Support Documents