cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1556
Views
5
Helpful
3
Replies

Mixing EAP methods for Windows machine and user authentication

Arne Bier
VIP
VIP

Hello

 

I was reading the CiscoLive BRKSEC-2045 document and the author has an interesting slide that shows that Windows doesn't support the mixing of EAP methods when doing machine AND user authentication. In other words, you have to use either EAP-PEAP for both, or use EAP-TLS for both.  He goes on to say that on MACOS this is different because that OS's supplicant allows mixing.

 

Anyone got experience with this?

 

I want to do the following:

  1. Machine authentication using a machine cert AuthZ to my ISE server - ISE drops PC into VLAN x
  2. When the user logs into the Windows logon prompt, it should use EAP-PEAP against my ISE server so that I can AuthZ the user to a dynamic VLAN, according to AD Security Groups.

Maybe I misinterpreted the BRKSEC-2045 document, but it seems this mixing of EAP methods is not possible.

 

BRKSEC-2045

BRKSEC-2045-EAP.PNG

 

 

 

 

1 Accepted Solution

Accepted Solutions

Hi Arne!

 

The slide is correct, I'm afraid you can't mix different authentication types in the Windows native supplicant. You have to picked one or the other.

AnyConnect Network Access Module (NAM) supports mixing certificates and credentials on Windows machines. You would use either PEAP or EAP-FAST as the outer method and then you could mix EAP-TLS (certificate) and MSCHAPv2 (credentials) inside it. Using this you can use a machine certificate for the machine when it boots and then trigger a new authentication based on MSCHAPv2 when the user logs into Windows. 

I'm afraid I have never deployed double authentication for macOS so I'm not sure how it works there. 

View solution in original post

3 Replies 3

Hi Arne!

 

The slide is correct, I'm afraid you can't mix different authentication types in the Windows native supplicant. You have to picked one or the other.

AnyConnect Network Access Module (NAM) supports mixing certificates and credentials on Windows machines. You would use either PEAP or EAP-FAST as the outer method and then you could mix EAP-TLS (certificate) and MSCHAPv2 (credentials) inside it. Using this you can use a machine certificate for the machine when it boots and then trigger a new authentication based on MSCHAPv2 when the user logs into Windows. 

I'm afraid I have never deployed double authentication for macOS so I'm not sure how it works there. 

thanks Jacob.  You have become my EAP questions go-to guy ;-)

 

No problem, glad to help :)