Solved: NON-DOMAIN MACHINE AUTHENTICATION

RustamRustamov1023 · ‎05-05-2022

Hi,

I authenticate the user using the local database of ISE and I also want to authenticate my machine. But this machine is not joined to AD.

How can I authenticate a nondomain machine?

Machine username is host/example so I created the same username in the local database with a random password. I saw in logs an error 22063 Wrong password.

How is it possible to authenticate also my non-domain machine?

Arne Bier · ‎05-05-2022

Hi @RustamRustamov1023

You can authenticate a non-domain joined machine in the following ways. Since this machine is not domain joined, you cannot and will never succeed in performing computer authentication with EAP-PEAP

Therefore your choices of how to configure the native Win 10 supplicant are:

Computer authentication using EAP-TLS
User authentication using EAP-TLS or using EAP-PEAP
User/Computer authentication using EAP-TLS only (Win10 won't allow mixing of EAP methods unless you try EAP-TEAP)

View solution in original post

ahollifield · ‎05-05-2022

What is your EAP type? PEAP?

I am not an AD expert but AFAIK you cannot do this without Active Directory. AD manages the password on the machine, there is no way to change/update the machine password, hence why you are seeing incorrect password.

If this is what you are trying to do why? What is the use-case? What significance would a non-domain machine account have?

RustamRustamov1023 · ‎05-05-2022

I use PEAP. This is the requirement of my customer so I have to authenticate user and also non-domain machine.

Is there any other methods to authenticate non-domain machine?

ahollifield · ‎05-05-2022

First I would question the requirement. What exactly does the customer hope to gain by this?

EAP-TLS using a certificate issued to that computer (stored in the computer account) is a possible option. However, without AD or an MDM how are you going to get a certificate to that machine and manage the certificate renewal process?

RustamRustamov1023 · ‎05-05-2022

Yes, I authenticated the non-domain machine with a certificate but now I have to do it using PEAP-MSCHAPv2

ahollifield · ‎05-05-2022

You can't. There is no concept of this AFAIK without being joined to a domain. Again though what is the use-case here?

Flavio Miranda · ‎05-05-2022

If you are using ISE local Data Base, then you are not using AD.

If you selected "Internal User" under "Password Type" Then, you need to select the User Group. And you need to add your user on the User group.

RustamRustamov1023 · ‎05-05-2022

Yes, I did it in the way that you described but there is a 22063 Wrong password error. The non-domain machine uses some username and password. I know which username it is from logs but I do not which password is it used.

The main question is how can I authenticate also my non-domain machine?

Flavio Miranda · ‎05-05-2022

Did you create an Autorization profile as well ?

Take a look on this video.

https://www.youtube.com/watch?v=E_s9WHSVLYQ

RustamRustamov1023 · ‎05-05-2022

Yes, I created Authorization Profile and I have a wired dot1x environment, not wireless. There are no questions about user authentication there is a question about how to authenticate a non-domain machine using PEAP-MSCHAPv2?

Arne Bier · ‎05-05-2022

Hi @RustamRustamov1023

You can authenticate a non-domain joined machine in the following ways. Since this machine is not domain joined, you cannot and will never succeed in performing computer authentication with EAP-PEAP

Therefore your choices of how to configure the native Win 10 supplicant are:

Computer authentication using EAP-TLS
User authentication using EAP-TLS or using EAP-PEAP
User/Computer authentication using EAP-TLS only (Win10 won't allow mixing of EAP methods unless you try EAP-TEAP)