Solved: Need of checking computer is part of domain

munish.dhiman1 · ‎11-29-2019

Hi All,

In one of the requirements, we would like to restrict personal devices to access corporate networks over 802.1x wired or wireless using MSCHAP. We can add machine authentication on top of it.

Can I simply use EAP-TLS to eliminate machine authentication? Only the devices having the certificate will be able to connect and no personal device would be able to login to the corporate network.

I hope my logic is correct.

Regards,

Munish Dhiman

Mike.Cifelli · ‎11-29-2019

In regard to 8021x I assume you meant to include that you will run NAM as well. In my experience using the native supplicant is easier especially if just trying to accomplish comp authc via eap-tls. However, NAM introduces some additional capabilities such as eap-chaining. For the posture check I run several checks, but the one I mentioned is in production for all VPN access, and it works like a charm. My domain reg check condition looks like this:
RegCheck_Domain
Win10 ALL
reg type = RegistryValue
reg root key: HKLM
sub key: SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\
value name: MachineDomain
datatype = string
value operator EQUALS
value data: <YOURDomain>
I recommend utilizing AD sec group mapping in your authz conditions as well as another layer. HTH!

View solution in original post

Mike.Cifelli · ‎11-29-2019

You can accomplish what you are looking for a few different ways. A couple of questions for you:
Do you have ISE integrated with AD?
Do you have an internal PKI?
Are you planning on using the native supplicant?
Some options include:
Utilizing ISE policy to map to AD security groups to validate the comp object (host) exists. Deploying native supplicant configs via GPO to accomplish the use of machine auth via eap-tls & certificate auto-enrollment if you wish. If using AnyConnect client as your supplicant you could also deploy ISE posture module to perform system checks to ensure the host is a member of the domain via registry check and other viable options. Note that you will probably wont to incorporate OCSP checks to verify that the internal machine certs are valid as well during the eap-tls session. HTH!

munish.dhiman1 · ‎11-29-2019

Hi Mike,
Do you have ISE integrated with AD? Yes
Do you have an internal PKI? Yes
Are you planning on using the native supplicant? Anyconnect Posture module and VPN

I like the posture registry check, would you suggest any configuration parameter? And does it work fine in production environments?

Regards,
MD

Mike.Cifelli · ‎11-29-2019

In regard to 8021x I assume you meant to include that you will run NAM as well. In my experience using the native supplicant is easier especially if just trying to accomplish comp authc via eap-tls. However, NAM introduces some additional capabilities such as eap-chaining. For the posture check I run several checks, but the one I mentioned is in production for all VPN access, and it works like a charm. My domain reg check condition looks like this:
RegCheck_Domain
Win10 ALL
reg type = RegistryValue
reg root key: HKLM
sub key: SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\
value name: MachineDomain
datatype = string
value operator EQUALS
value data: <YOURDomain>
I recommend utilizing AD sec group mapping in your authz conditions as well as another layer. HTH!