Solved: Multiple user login using Eap tls inner method && eap fast outer

RohitSingh91693 · ‎04-03-2021

Recently we had deployed ISE server for authentication and Authorization purpose and there was many requirement by the client which was fulfilled, now the last requirement by them is to do multiple user login on same machine, due to these requirement sign-off got stuck from client side, is there any way.

Also we are using Eap tls inner method

Eap fast as outer method

I know multiple user login can breach ise working but we need to perform these.

Client certificate is required before login into machine, is there any way if new user logged in into machine the endpoint itself fect user certificate automatically from CA server and allow user to access the network

Greg Gibbs · ‎04-05-2021

This is a very common issue due to the order of operations Windows uses for starting the dot1x process before the user GPO kicks in (which is how new user certs are enrolled). Many customers avoid using user certificates for this reason. See this community post for more detail.

You might look into using either AnyConnect NAM or TEAP (released in Windows 10 Build 2004) to leverage EAP-TLS for computer auth and PEAP-MSCHAPv2 for user auth.

View solution in original post

Francesco Molino · ‎04-03-2021

Hi

I’m not sure I got your requirement correctly. You want a user to login on a machine, get its certificate and then be authenticated right away

How the user is going to get its certificate? Are we talking about machines managed by a MDM or Windows AD?

If so, you can assign a permit with a dACL to allow access to few services (DHCP, DNS, and MDM/Windows AD) with a small timeout until the user can get all prerequisites (certificate and supplicant configuration). Then, at next reauthentication timer, users will be authenticated using TLS.

If I missed something or did not understood something, please let me know and I will try to find a solution.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

RohitSingh91693 · ‎04-04-2021

Hello franc,

Yes for the machine connectivity after user logged out we have configured a Dacl, so that after logout machine still have connection with the AD

My client requirement is that without having a user certificate if new user login to any system during login is it possible the endpoint will fetch the user certificate from AD and stores it in user certificate store , i.e client wants multiple user login in same machine.

In eap tls what we do first we enroll certificate manually in user certificate store and after that eap process happens, and user gets authenticated.

Mike.Cifelli · ‎04-05-2021

Client certificate is required before login into machine, is there any way if new user logged in into machine the endpoint itself fect user certificate automatically from CA server and allow user to access the network

-I would look into testing/utilizing the authz condition of eapchainingresult equals user failed and machine succeeded. Then in this state authorize the non-cert user + known good client into a restricted area that has limited access to the necessary resources needed for user to enroll for a cert. I think the tricky part here will be having them reauth (after successful enrollment for cert) to gain full access to respective network via eapchaining result equals user and computer succeeded. You could as already mentioned use a reauth timer. However, I feel that there may be lost time here. You could have the user initiate reauth (depending on the supplicant used). If using NAM this is straight forward, but may require some user education.

One last thing to note, by default NAM enforces single user. To change this see below:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}

To configure single or multiple user logon, add a DWORD named EnforceSingleLogon (this should already be there), and give it a value of 1 or 0.

1 restricts logon to a single user.

0 allows multiple users to be logged on.

HTH!

Greg Gibbs · ‎04-05-2021

This is a very common issue due to the order of operations Windows uses for starting the dot1x process before the user GPO kicks in (which is how new user certs are enrolled). Many customers avoid using user certificates for this reason. See this community post for more detail.

You might look into using either AnyConnect NAM or TEAP (released in Windows 10 Build 2004) to leverage EAP-TLS for computer auth and PEAP-MSCHAPv2 for user auth.