This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Is there a way to do machine and user authentication together in ISE without using Anyconnect?
requirement is to identify a corporate asset based on a machine certiifcate and then provide granular acess based on user auth / certificate
any links or guides pointing to the configuration to achieve this would be helpful
Solved! Go to Solution.
Hello @MU_B ,
as of Windows 10 build 2004 (May 2020) and ISE 2.7p1 it is now possible to use TEAP for chaining user + machine certificate using the native supplicant in Windows 10.
Check the following link for more information: https://www.ise-support.com/2020/05/29/using-teap-for-eap-chaining/
I don't believe that this is possible and it is due to the limitations of the native windows supplicant where can do either one of the following:
1. User authentication
2. Machine authentication
3. Machine or user authentication
Machine+User authentication can only be accomplished with EAP-Chaining which is only supported by AnyConnect. Perhaps Microsoft would be kind enough and upgrade their native supplicant in future updates of Windows 8/7.
Thank you for rating!
Yes its possible with native windows supplicant.
ISE and ACS support MAR - Machine Access Restrictions.
This allows you to restrict user auth to machines that have already done machine auth.
It works but has some limitations
- ACS/ISE keeps track of successful computer auth by tracking the MAC of machines that pass machine auth.
- The mac address database has a limited but configurable cache period
- Once you time out you need to do machine auth again - can be issues for users that hiberate etc and don't do frequent reboots.
EAP Chaining -(EAP FASTv2 or new standard name EAP-TEAP) would solve some of the limitations but currently no native supplicant support.
Do we have a step by step configuration of both the methods that i can look into
Have tried but cant make it to work ... the machine auth never happens if i set the dot1x to look for certificate and i see it failover to MAB
I personally stay away from MAR. It comes with limitations and some things to keep in mind, especially if you are configuring wired and wireless. Also, it is not a "true" machine+user authentication. Last but not the least, MAR does not use the machine certificates. But that is just my preference
There is another way to achieve Machine User authentication through ISE. But for that you need to have some prerequisites like for windows 7 machine, please select User or computer Authentication “in authentication method but it is not applicable for Windows XP
Then you need to create two rules in Authorization policy:
Rule no 1:
With the 1st rule, machine will get authorized access when it boots up ( Before user enters his credentials)
Rule no 2:
Network Access:WasMachineAuthenticated ==True
Now in 2nd rule user will enter credentials and he will get authorized access.
I thought that XP can do "machine or user" as well? Perhaps, I am wrong. Also, isn't this suggestion also dependant on MAR? If so it won't really be using certificates...
All the above answers are good answers but to have some consistency when performing user and computer authentication without relying on setting long MAR timers, or also worrying about the ISE or ACS node rebooting (MAR cache is not saved permenantly and is deleted when servers reboot...ie performing an upgrade). Also keep I dont think the MAR cache is even replicated in an ISE deployment.
You are better off distributing anyconnect with a tested profiling using eap-fast and ms-chapv2 as the inner method. its a better "end to end" solution and is easy managed by distributing an xml file if changes need to be made. I just tested the eap-chaining feature and it works just as good as advertised.
*Please rate helpful posts*
Yes XP can do all 3.
Machine + User
For user - that is default setting
For machine only (can't be configure in XP GUI) - use group policy or registry to set value
For machine + User (tick auth as computer when computer info is available)
As discussed about Machine + User means -
boot PC - pc does machine auth
login as user - pc does user auth.
BTW - Bhaskar Network Access:WasMachineAuthenticated ==True is known as MAR.
I've heard talk of MAR cache being shared in ACS deployment but not sure about ISE cluster.
MAR cache is not shared. Here is a snip-it directly from the User Guide for ISE 1.1.x
-----The PDP nodes in a distributed deployment do not share their Machine Access Restriction (MAR) cache
with each other. For example, If a client machine is authenticated by one of the Policy Service ISE nodes,
PDP1 and PDP1 goes down, then another Policy Service ISE node in the deployment, PDP2 handles the
user authentication. The user authentication in this case fails because PDP2 does not have the host
authentication information in its MAR cache-----
You must use EAP-FASTv2 available in any connect or wait for TEAP. From my understanding everyone is going to incorporate TEAP into their native supplicant when it gets released. So look for a windows patch or update to add it. I'm not sure how far out TEAP is.
It works by requesting the machine to authenticate, once the machine authenticates the ISE or RADIUS passes a token (cookie) that is to be used whenever a user attempts to authenticate. When the user attempts to authenticate using TEAP they will always send their machine token that they gote when they authenticated earlier with machine creds. If it's not available then TEAP sends machine creds to be authenticated with the user.
ISE will have a few options to check (Userr and Machine authenticated, User only, Machine only, and so on). I believe EAP-FASTv2 works the same way but is only used by Cisco via anyconnect. Be careful about using the wasMachineAuthenticated condition as it has lots of issues with mobile laptops coming from home or switching from wired to wireless.
Looks like ACS 5.4 is sharing MAR cache. Hopefully ISE picks up that technology too.
ACS 5.4 supports the Machine Access Restriction cache per ACS deployment. That is, machine authentication results can be cached among the nodes within the deployment.
Based on the above replies looks like using MAR is not a best practice.
Any latest updates on this post, wanted to check how we can accommodate both machine+user Authentication using Native Supplicant.