cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
29762
Views
35
Helpful
16
Replies

Machine + User authentication in ISE

royalblues
Level 10
Level 10

Is there a way to do machine and user authentication together in ISE without using Anyconnect?

requirement is to identify a corporate asset based on a machine certiifcate and then provide granular acess based on user auth / certificate

any links or guides pointing to the configuration to achieve this would be helpful

Narayan

1 Accepted Solution

Accepted Solutions

rschlayer
Level 4
Level 4

Hello @MU_B ,

as of Windows 10 build 2004 (May 2020) and ISE 2.7p1 it is now possible to use TEAP for chaining user + machine certificate using the native supplicant in Windows 10.

Check the following link for more information: https://www.ise-support.com/2020/05/29/using-teap-for-eap-chaining/

Best regards,

Rick

View solution in original post

16 Replies 16

nspasov
Cisco Employee
Cisco Employee

I don't believe that this is possible and it is due to the limitations of the native windows supplicant where can do either one of the following:

1. User authentication

2. Machine authentication

3. Machine or user authentication

Machine+User authentication can only be accomplished with EAP-Chaining which is only supported by AnyConnect. Perhaps Microsoft would be kind enough and upgrade their native supplicant in future updates of Windows 8/7.

Thank you for rating!

Hi,

Can any one tell me recomdede dacl for machine logon ?

 

 

Thanks 

Pranav

petermitchell
Level 1
Level 1

Yes its possible with native windows supplicant.

ISE and ACS support MAR - Machine Access Restrictions. 

This allows you to restrict user auth to machines that have already done machine auth.

It works but has some limitations

- ACS/ISE keeps track of successful computer auth by tracking the MAC of machines that pass machine auth.

- The mac address database has a limited but configurable cache period

- Once you time out you need to do machine auth again - can be issues for users that hiberate etc and don't do frequent reboots.

EAP Chaining -(EAP FASTv2 or new standard name EAP-TEAP) would solve some of the limitations but currently no native supplicant support.

Do we have a step by step configuration of both the methods that i can look into

Have tried but cant make it to work ... the machine auth never happens if i set the dot1x to look for certificate and i see it failover to MAB

I personally stay away from MAR. It comes with limitations and some things to keep in mind, especially if you are configuring wired and wireless. Also, it is not a "true" machine+user authentication. Last but not the least, MAR does not use the machine certificates. But that is just my preference

bhthapa
Level 1
Level 1

There is another way to achieve Machine User authentication  through  ISE.  But for that you need to have some prerequisites like for  windows 7  machine, please select User or computer Authentication “in   authentication method but it is not applicable for Windows XP

Then you need to create two rules in Authorization policy:

Rule no 1:

Ise.local:ExternalGroups==Domain  Computers

  With the 1st rule, machine will get authorized access when it boots up (   Before user enters his credentials)

  Rule no 2:

  Network Access:WasMachineAuthenticated ==True

                              AND

ise.local:ExternalGroups==Domain Users

Now in 2nd rule user will enter credentials and he will get authorized   access.

I thought that XP can do "machine or user" as well? Perhaps, I am wrong. Also, isn't this suggestion also dependant on MAR? If so it won't really be using certificates...

All the above answers are good answers but to have some consistency when performing user and computer authentication without relying on setting long MAR timers, or also worrying about the ISE or ACS node rebooting (MAR cache is not saved permenantly and is deleted when servers reboot...ie performing an upgrade). Also keep I dont think the MAR cache is even replicated in an ISE deployment.

You are better off distributing anyconnect with a tested profiling using eap-fast and ms-chapv2 as the inner method. its a better "end to end" solution and is easy managed by distributing an xml file if changes need to be made. I just tested the eap-chaining feature and it works just as good as advertised.

Thanks,

Tarik Admani
*Please rate helpful posts*

Hi Neno,

Yes XP can do all 3.

User

Machine

Machine + User

For user - that is default setting

For machine only (can't be configure in XP GUI) - use group policy or registry to set value

For machine + User (tick auth as computer when computer info is available)

As discussed about Machine + User means -

boot PC - pc does machine auth

login as user - pc does user auth.

BTW - Bhaskar Network Access:WasMachineAuthenticated ==True is known as MAR.

I've heard talk of MAR cache being shared in ACS deployment but not sure about ISE cluster.

MAR cache is not shared. Here is a snip-it directly from the User Guide for ISE 1.1.x

-----The PDP nodes in a distributed deployment do not share their Machine Access Restriction (MAR) cache

with each other. For example, If a client machine is authenticated by one of the Policy Service ISE nodes,

PDP1 and PDP1 goes down, then another Policy Service ISE node in the deployment, PDP2 handles the

user authentication. The user authentication in this case fails because PDP2 does not have the host

authentication information in its MAR cache-----

You must use EAP-FASTv2 available in any connect or wait for TEAP.  From my understanding everyone is going to incorporate TEAP into their native supplicant when it gets released.  So look for a windows patch or update to add it.  I'm not sure how far out TEAP is.

It works by requesting the machine to authenticate, once the machine authenticates the ISE or RADIUS passes a token (cookie) that is to be used whenever a user attempts to authenticate.  When the user attempts to authenticate using TEAP they will always send their machine token that they gote when they authenticated earlier with machine creds.  If it's not available then TEAP sends machine creds to be authenticated with the user.

ISE will have a few options to check (Userr and Machine authenticated, User only, Machine only, and so on).  I believe EAP-FASTv2 works the same way but is only used by Cisco via anyconnect.  Be careful about using the wasMachineAuthenticated condition as it has lots of issues with mobile laptops coming from home or switching from wired to wireless.

Looks like ACS 5.4 is sharing MAR cache.  Hopefully ISE picks up that technology too.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1307694

Distributed MAR Cache

ACS 5.4 supports the Machine Access Restriction cache per ACS deployment. That is, machine authentication results can be cached among the nodes within the deployment.

manjeets
Level 3
Level 3

Here is the helpful video for user and machine authentication :

http://www.youtube.com/watch?v=bjH99xKepLY

 

MU_B
Level 1
Level 1

Based on the above replies looks like using MAR is not a best practice.

 

Any latest updates on this post, wanted to check how we can accommodate both machine+user Authentication using Native Supplicant.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: