Solved: Re: user+machine auth question

ozgguler · ‎07-10-2017

Sorry All,

My question is related to ACS but your answer will fit for both ISE and ACS.

We configured two rules. First one is for machine auth and second one is for user auth. And we configured windows supplicant as "user and machine authentication". We are not using anyconnect.

I think this configuration is known as MAR.

In ACS logs we see TLS handshake messages. Does it apply EAP-TLS with PEAP here? Or is it just an illusion?

hslai · ‎07-10-2017

Yes, MAR is used with Windows native supplicant.

During PEAP, the client will get the EAP server certificate and then have the option to validate it. That might be what you are seeing. I can't see that in your screenshot.

View solution in original post

hslai · ‎07-10-2017

Yes, MAR is used with Windows native supplicant.

During PEAP, the client will get the EAP server certificate and then have the option to validate it. That might be what you are seeing. I can't see that in your screenshot.

ozgguler · ‎07-10-2017

But this is not a certificate authentication, right? Is it still needed to do eap chaining for real machine+user auth?

Bonus question: Are they ways to bypass MAR? For example, what happens if i imitate a domain PC's hostname on a non-domain pc?

Thanks

Sent from my iPhone

hslai · ‎07-10-2017

MAR typically uses password auth. If using certificates, then you need to ensure performing binary compare and use AD id store, else it would not work.

kthiruve · ‎07-10-2017

Please also make sure MAR is enabled in external ID store for AD