Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1386
Views
10
Helpful
4
Replies

Passive ID and 802.1X machine authentication

Go to solution
Johannes Luther
Level 4
Level 4

‎07-08-2019 02:10 AM

Hi board,

every document regarding passive ID (or EasyConnect) I saw so far stated, that the Windows client/end device is identified using MAB (limit access authZ to provide a domain login).

 

Question: MAB is not a prerequisite for passive ID, right? If I have a running EAP-TLS / PEAP deployment to authenticate and authorize the machine accounts via 802.1X, passive ID will work as well right?

The only thing is to make sure after the initial authorization, that the client is able to perform an AD login.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎07-08-2019 03:10 AM

Hi,

Yes you'd need MAB. If you are only authenticating the computer via 802.1x then at this point there has been no user authentication, so no Active Directory has no WMI authentications to forward to ISE. MAB is used to provide limited access, allowing the user to authenticate to AD, at which point the WMI authentication events are forwarded to ISE, then a CoA is sent and the user is re-authorized.

 

If you are using 802.1x for computer authentication, I'd personally use it for user authentication also.

 

HTH

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎07-08-2019 03:10 AM

Hi,

Yes you'd need MAB. If you are only authenticating the computer via 802.1x then at this point there has been no user authentication, so no Active Directory has no WMI authentications to forward to ISE. MAB is used to provide limited access, allowing the user to authenticate to AD, at which point the WMI authentication events are forwarded to ISE, then a CoA is sent and the user is re-authorized.

 

If you are using 802.1x for computer authentication, I'd personally use it for user authentication also.

 

HTH

Go to solution
Johannes Luther
Level 4
Level 4
In response to Rob Ingram

‎07-08-2019 03:28 AM

Thanks for the answer RJI.

To summarize this:

In order to use passive ID, you "somehow" make sure the user is able to log in to a machine, which is allowed to access all needed DCs. So the method how to authenticate the machine does not matter. It could be MAB or 802.1X.

 

Just to answer your return question:

Of course I prefer user authentication via 802.1X as well. Problem is, if you don't have user certificates and want to use EAP-TLS for machine authentication. I guess with the native supplicant, there is no way to do Computer Auth via EAP-TLS and User Auth via PEAP.

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎07-08-2019 03:13 AM

The real question is, why would you want Passive-ID if you already know the identity from the .1x authentication ?
0 Helpful

Go to solution
Johannes Luther
Level 4
Level 4
In response to Surendra

‎07-08-2019 03:23 AM

If you're using the computer account for authentication only, you don't get the user context.

Typically you want to authorize based on attributes, which are mapped to a user account and not the computer account :)

 

0 Helpful
Customers Also Viewed These Support Documents