Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1491
Views
5
Helpful
3
Replies

Mixing EAP methods for Windows machine and user authentication

Go to solution
Arne Bier
VIP
VIP

‎11-13-2017 10:03 PM - edited ‎02-21-2020 10:38 AM

Hello

 

I was reading the CiscoLive BRKSEC-2045 document and the author has an interesting slide that shows that Windows doesn't support the mixing of EAP methods when doing machine AND user authentication. In other words, you have to use either EAP-PEAP for both, or use EAP-TLS for both.  He goes on to say that on MACOS this is different because that OS's supplicant allows mixing.

 

Anyone got experience with this?

 

I want to do the following:

  1. Machine authentication using a machine cert AuthZ to my ISE server - ISE drops PC into VLAN x
  2. When the user logs into the Windows logon prompt, it should use EAP-PEAP against my ISE server so that I can AuthZ the user to a dynamic VLAN, according to AD Security Groups.

Maybe I misinterpreted the BRKSEC-2045 document, but it seems this mixing of EAP methods is not possible.

 

BRKSEC-2045

BRKSEC-2045-EAP.PNG

 

 

 

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jacob.fredriksson
Level 1
Level 1

‎11-14-2017 10:02 AM

Hi Arne!

 

The slide is correct, I'm afraid you can't mix different authentication types in the Windows native supplicant. You have to picked one or the other.

AnyConnect Network Access Module (NAM) supports mixing certificates and credentials on Windows machines. You would use either PEAP or EAP-FAST as the outer method and then you could mix EAP-TLS (certificate) and MSCHAPv2 (credentials) inside it. Using this you can use a machine certificate for the machine when it boots and then trigger a new authentication based on MSCHAPv2 when the user logs into Windows. 

I'm afraid I have never deployed double authentication for macOS so I'm not sure how it works there. 

View solution in original post

3 Replies 3

Go to solution
jacob.fredriksson
Level 1
Level 1

‎11-14-2017 10:02 AM

Hi Arne!

 

The slide is correct, I'm afraid you can't mix different authentication types in the Windows native supplicant. You have to picked one or the other.

AnyConnect Network Access Module (NAM) supports mixing certificates and credentials on Windows machines. You would use either PEAP or EAP-FAST as the outer method and then you could mix EAP-TLS (certificate) and MSCHAPv2 (credentials) inside it. Using this you can use a machine certificate for the machine when it boots and then trigger a new authentication based on MSCHAPv2 when the user logs into Windows. 

I'm afraid I have never deployed double authentication for macOS so I'm not sure how it works there. 

Go to solution
Arne Bier
VIP
VIP
In response to jacob.fredriksson

‎11-14-2017 01:50 PM

thanks Jacob.  You have become my EAP questions go-to guy ;-)

 

0 Helpful

Go to solution
jacob.fredriksson
Level 1
Level 1
In response to Arne Bier

‎11-15-2017 08:44 AM

No problem, glad to help :)

0 Helpful
Customers Also Viewed These Support Documents