Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4203
Views
30
Helpful
9
Replies

Value in using EAP Chaining with Machine and User Cert

Go to solution
mmahalin
Cisco Employee
Cisco Employee

‎01-17-2019 06:23 AM

Hi Team


A customer of mine is considering using EAP Chaining for the 802.1x wired and wireless deployment.  However, they are also planning in using Machine and User certs. What is the value with EAP Chaining in a cert based authentication environment? 

 

I understand the value that EAP chaining brings with MS-CHAP/PEAP style environments. 

 

Thank you,

 

Mak 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎01-17-2019 06:28 AM

The Value of EAP-Chaining comes in chaining the Machine Authentication with the User Authentication. It is independent of the authentication methods used. If you have a requirement of authorizing the user only of the machine is authorized, EAP-Chaining would be first preference since you can use multiple flavours for machine and user authentications like MSCHAP & EAP-TLS, EAP-TLS & MSCHAP, MSCHAP & MSCHAP, EAP-TLS and EAP-TLS respectively.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎01-17-2019 06:28 AM

The Value of EAP-Chaining comes in chaining the Machine Authentication with the User Authentication. It is independent of the authentication methods used. If you have a requirement of authorizing the user only of the machine is authorized, EAP-Chaining would be first preference since you can use multiple flavours for machine and user authentications like MSCHAP & EAP-TLS, EAP-TLS & MSCHAP, MSCHAP & MSCHAP, EAP-TLS and EAP-TLS respectively.
0 Helpful

Go to solution
mmahalin
Cisco Employee
Cisco Employee
In response to Surendra

‎01-17-2019 06:49 AM

Thanks Surendra. In my use case, the main reason the customer wants to use certs/EAP-TLS is to make sure the laptop is corporate owned. They do not want to the user to use AD usernames/passwords for user auth as they cannot control the user bringing their personal device into the network. Hence the reason for enterprise issued user certs in their laptops. Do I need EAP chaining? As both user and machine certs are non exportable and safely identify the corporate asset and the user using it. 

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to mmahalin

‎01-17-2019 06:56 AM

I recommend you go with EAP-FAST since your requirement is to validate the machine from which the user is logged onto which inadvertently is as good as Machine authentication coupled with User authentication. Another way would be to use WasMachineAuthentiated NetworkAccess dictionary attribute utilizing the MAR cache. However, there are a lot of dependencies to it.
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Surendra

‎01-17-2019 07:28 AM

I agree. You should use EAP-FAST with EAP-TLS.  Keep in mind that using EAP-FAST you will need to implement AnyConnect with the NAM module since most operating systems' native supplicant do not yet support EAP-FAST.  Machine authentication will occur first, followed by user authentication.  Your ISE authorization policy conditions should look something along these lines:

ExternalGroups EQUALS 'your domain specific security group containing computer objects'

NetworkAccess: EAP-Tunnel EQUALS: EAP_FAST

NetworkAccess:EAPChainingResult EQUALS: User failed and machine succeeded

 

Then the next policy would ensure that computer auth succeeded and authorize network access based on user provided cert/cac card/etc.  That would look something like this:

NetworkAccess: WasMachineAuthenticated EQUALS True

ExternalGroups EQUALS 'your domain specific security group containing users'

NetworkAccess:EAPChainingResult EQUALS: USER and machine both succeeded

NetworkAccess:AuthenticationMethod EQUALS x509_PKI

 

You could specify that when user auth fails, but machine succeeds they get restricted access to the network.  Then upon successful EAPChaining result of both user + comp pass they get full network access.

 

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Mike.Cifelli

‎01-17-2019 08:39 AM

Your example is the value I see with eap chaining and also how we have put it to good use in the field.

Taking it a step further you can also differentiate access with TrustSec rather than say a DACL. Say a defense employee logs in on a machine that is still corporate owned but not part of the defense department, you can provide a SGT of least permission. In this example, some other business group tag would be passed down with the authorization and the user+machine may not have access to resources protected within the defense department tag. The authorization rules can get quite long if not well planned out but the business use cases are out there.
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to mmahalin

‎01-17-2019 11:42 AM

This is where some education needs to be done with the customer.  Most customers mistakenly thing "Certificates are more secure".  If your customer says the only want to ensure the connecting device is a corporate owned asset you should be pushing for PEAP Computer authentication. 

 

If the customer had definitive needs for user information then you would go certificates, but you don't need to do EAP chaining.  If the customers CA environment is built properly you can make an assumption that the presence of the cert on a device means corporate owned asset. 

 

In all my installs I have never done EAP chaining or felt the need to introduce the extra complexity and extra software to support it.

Go to solution
najam.shah78
Level 1
Level 1
In response to paul

‎10-28-2019 05:56 PM

@paul wrote:

This is where some education needs to be done with the customer.  Most customers mistakenly thing "Certificates are more secure".  If your customer says the only want to ensure the connecting device is a corporate owned asset you should be pushing for PEAP Computer authentication. 

 

If the customer had definitive needs for user information then you would go certificates, but you don't need to do EAP chaining.  If the customers CA environment is built properly you can make an assumption that the presence of the cert on a device means corporate owned asset. 

 

In all my installs I have never done EAP chaining or felt the need to introduce the extra complexity and extra software to support it.

Hi,

In this scenario , how would the Auth and Authz policy look ? A generic guideline would help. Thanks

0 Helpful

Go to solution
ComputerRick
Cisco Employee
Cisco Employee
In response to paul

‎10-03-2021 07:01 AM

I would agree with this suggestion, only because AD can be used to limit access to the computer itself.  It's easier to implement and doesn't compromise security, in my opinion.

It also allows machines that have no user actively logged in can still have network access, allowing for policy and monitoring.

Go to solution
Andrii Oliinyk
VIP
VIP

‎10-03-2021 05:26 AM

Hi there

topic is quite aged & another one benefit of EAP-TLS over EAP-MSCHAPv2 could be already identified then just to constate:

enforced Credentials Guard in recent versions of Win will fail SSO with EAP-MSCHAPv2 with EAP-FAST bringing u to dilemma: create security breach with fix of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LsaAllowReturningUnencryptedSecrets or migrate to EAP-TEAP with native supplicant

br andy

Customers Also Viewed These Support Documents