Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4581
Views
35
Helpful
11
Replies

Wireless machine and user authentication

Go to solution
Boris Alban Cedric NZIMBOU KIMBEMBE
Level 1
Level 1

‎02-14-2013 07:42 AM - edited ‎03-10-2019 08:05 PM

Hi all ,                  

I have an issue With My Wireless Employee Connexion (802.1X EAP connexion ) .

When user are on wired connexion and then come to wireless employee on XP or Seven the name of the machine is not automaticaly sent to ISE in the 802.1x message. I Have to restart the machine to thave the machine name sent in the 802.1x Message .

Is this normal ? Is there any parameter to have the name of the machine sent auromaticaly on the wireless!!!!

Thanks for the support

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎02-17-2013 07:24 AM

Hi Boris,

You mean you use machine authentication? and that is not being used correctly when the device is already connected to the wired side? and it is only sending the username? not hte machine name?

Well, the issue with the windows machine auth and ACS (and ISE is the same) that windows sends the machine auth trigger only when it boots. so, if the user is already logged in the machine auth can not be triggered.
Rather than rebooting the machine, I thing logging off and on will trigger the machine auth request as well.

Microsoft RADIUS (NPS or the older IAS) can detect the machine auth status while the user is up and running. This is because windows and the radius from same vendor, they fit with each other better.

I know a customer that moved the whole radius from ACS to NPS becaue of this issue.

I hope this answers your concern.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

View solution in original post

0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to nspasov

‎02-17-2013 10:09 PM

Neno: Thank you for raising this. The customer I talked about in my prevoius post was using MAR actually. If machine auth initiated PCs go to VLAN X. If no machine auth they go to VLAN Y. Firstly when the machine starts it goes normally to the needed VLAN (VLAN X). But if the PC goes to sleep or hibernate and came back up after sometime it goes to the VLAN Y.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

View solution in original post

0 Helpful

Go to solution
maldehne
Cisco Employee
Cisco Employee

‎02-26-2013 03:16 AM

This is normal. well well well well.

I have seen a lot of people talking about this and what should be done and if it is mromal or not.

Companies have been looking for authentication strategy where to use more than one factor in the authentication

process when accessing wireless resources. Kind of that is windows machine authentication and user-credential authentication.

What happens in machine authentication, is that the machine authenticate itself with the radius server when booting. The RADIUS server is communicating with the domain AD in the background to verify if the machine is part of that domain or not. Once the machine has been verified to be legitimate , the machine will negotiate the key material with the RADIUS server. The RADIUS server will cache a record for the authenticated machine . In ACS it will cache it for 24 hours.

Now the the user will open the machine and try to connect to the wireless network where he/she will be prompted for username and password. If the MAR is enabled , there should be a record for the machine in the ACS cache as successfully authenticated machine to allow access to that user . If there is no record , the client won't be allowed to access even if he/she provide correct credentials.

When MAR is enabled , to be able to access , machine should be already authenticated so that the user credentials are  accepted.

How the ACS can check if the machine has been already authenticated ? well, it will check the calling-station-id attribute in the radius access request , and if the mac address of the machine is the same as one of those cached, then the ACS will consider machine as authenticated. after that the user can login using username and password.

In your scenario , you have the machine already authenticated via wired connection, so it has a record cached on ACS.

Later on if a user tries to connect via wireless there is no need for machine authentication , only username and password are required when MAR is enabled.

A lot of people are reporting the following issue:

MAR can sometimes inadvertently lock out a legitimate client, forcing the client to reboot in order to gain access to the

network. WOW

We mentioned before that machine authentication is triggered upon booting the windows machine. so we have to link this fact with the workaround to overcome the issue mentioned before.

Lets consider the following scenario:

user x has been working properly all the day , his shift was over , he closed the lid and headed home.

The next day he opened the pc , tried to login with username and password no access ?? what happenned

Well , with MAR enabled , the machine was cached on ACS , when he went home the machine record has been expired

from the ACS, so the machine now is not listed. he tried to authenticate with username and password, but the calling station id has a MAC that is not cached any more on ACS ( unauthenticated machine ). So he should trigger machine authentication again to connect with his username and password, What should he do ?? he should reboot his machine.

from now and then he can disconnect and connect using his username and password till the entry is no longer cached.

He should have logged off when  he went home to avoid such issue and shut down his machine.

Hibernated machine won't trigger machine authentication when back online.

As  a conclusion:

Although MAR is a good feature, it has potential to cause network disruptio. These disruptions can be difficult to troubleshoot until you understand the way it works. When implementing MAR, it is importnant to educate your end users on how to properly shut down computers and to log off every machine at the end of the day.

I hope this has been informative

-----------------------------------------------------------------------------------------------------------

Please Don't Forget to rate correct answers

View solution in original post

11 Replies 11

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎02-17-2013 07:24 AM

Hi Boris,

You mean you use machine authentication? and that is not being used correctly when the device is already connected to the wired side? and it is only sending the username? not hte machine name?

Well, the issue with the windows machine auth and ACS (and ISE is the same) that windows sends the machine auth trigger only when it boots. so, if the user is already logged in the machine auth can not be triggered.
Rather than rebooting the machine, I thing logging off and on will trigger the machine auth request as well.

Microsoft RADIUS (NPS or the older IAS) can detect the machine auth status while the user is up and running. This is because windows and the radius from same vendor, they fit with each other better.

I know a customer that moved the whole radius from ACS to NPS becaue of this issue.

I hope this answers your concern.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Martin Bauer
Level 1
Level 1
In response to Amjad Abdullah

‎07-05-2017 09:03 AM

Hi There

Can you confirm if using Anyconnect will have the same symptom? I mean, when will anyconnect send the user or machine name exactly?

Like native windows supplicant will you need to logoff/reboot to have the authorization process ok?

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎02-17-2013 06:57 PM

Hello Boris, in addition to the comments from Amjad, I would like you to confirm what exactly you mean by "machine authentication." Are you you actually using PEAP machine authentication or are you referring to MAR (Machine Access Restriction). If you are not sure, please post a screen shot of the failed authentication.

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to nspasov

‎02-17-2013 10:09 PM

Neno: Thank you for raising this. The customer I talked about in my prevoius post was using MAR actually. If machine auth initiated PCs go to VLAN X. If no machine auth they go to VLAN Y. Firstly when the machine starts it goes normally to the needed VLAN (VLAN X). But if the PC goes to sleep or hibernate and came back up after sometime it goes to the VLAN Y.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Boris Alban Cedric NZIMBOU KIMBEMBE
Level 1
Level 1
In response to Amjad Abdullah

‎02-18-2013 01:53 AM

Thanks For your Greatfull support Amjad abdullah ,

0 Helpful

Go to solution
Boris Alban Cedric NZIMBOU KIMBEMBE
Level 1
Level 1
In response to Amjad Abdullah

‎02-21-2013 02:43 AM

Hi Amjad ,

If i use administration ->External Identity Sources->Active Directory->Enable machine Acces restriction  (MAR)

I use 730 Hour as value :

Question 1: My User Will be autaumaticaly authenticated Without rebooting for 730 Hour ???? 

Question 2 : If I use the EAP-Chaining and the Cisco Anyconnect NAM , Can i configure that as a workaround to this issue ? ( User will not have to reboot their machine to have full access to nework , The machine will aitomaticaline be authenticate at all reconnection ????)

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Boris Alban Cedric NZIMBOU KIMBEMBE

‎02-21-2013 09:39 AM

Let me try to answer these questions too:

Question #1: Yes, that is correct but it only applies to one/single MAC address. This becomes a problem when you have enabled MAB and 802.1x on both the wireless and wired (I believe this is the situation you are in) as there are two mac addresses involved. Because of this reason things "break" and users are not let on the network. Let me try to give you an example:

User comes to the office and boots his/hers compouter and connects on teh wired network with MAC:00:00:00:00:00:01 > ISE captures the authenticated mac address via MAR > ISE authenticates the machine on the network > then the user disconnects from the wired and tries connecting on the wireless network with the new MAC 00:00:00:00:00:02> ISE tries to perform authentication but cannot locate that new mac address > ISE returns an error saying that it could not find a previous successful machine authentication.

As a result, the machine will not be allowed on the wireless network until the user restarts the machine again while NOT connecting to the wired network. 

Question #2: Yes, EAP-Chaining would be eliminate the problem above

Also, I should mention that if you are only looking to do machine authentication and NOT machine+user then you simply use PEAP machine authentication which is much easier to implement than EAP-Chaining and does not have the limitations of MAR.

Go to solution
Philip Vilhelmsson
Level 1
Level 1

‎02-25-2013 07:49 AM

I have a question regarding this. If I have a laptop with a network cable connected and WiFi enabled. Will it authenticate on both when it starts or just one of them?

I will be using EAP-TLS with machine certificate for authentication of the device.

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Philip Vilhelmsson

‎02-25-2013 08:26 AM

With EAP-TLS things are different compared to MAR and EAP-Chaining. If you are going to use machine certificate then there will be no user information that is being passed. Instead, the supplicant will be configured to perform machine authentication only. That machine cert will be used to authenticate the device on both the wired and the wireless network.

Go to solution
maldehne
Cisco Employee
Cisco Employee

‎02-26-2013 03:16 AM

This is normal. well well well well.

I have seen a lot of people talking about this and what should be done and if it is mromal or not.

Companies have been looking for authentication strategy where to use more than one factor in the authentication

process when accessing wireless resources. Kind of that is windows machine authentication and user-credential authentication.

What happens in machine authentication, is that the machine authenticate itself with the radius server when booting. The RADIUS server is communicating with the domain AD in the background to verify if the machine is part of that domain or not. Once the machine has been verified to be legitimate , the machine will negotiate the key material with the RADIUS server. The RADIUS server will cache a record for the authenticated machine . In ACS it will cache it for 24 hours.

Now the the user will open the machine and try to connect to the wireless network where he/she will be prompted for username and password. If the MAR is enabled , there should be a record for the machine in the ACS cache as successfully authenticated machine to allow access to that user . If there is no record , the client won't be allowed to access even if he/she provide correct credentials.

When MAR is enabled , to be able to access , machine should be already authenticated so that the user credentials are  accepted.

How the ACS can check if the machine has been already authenticated ? well, it will check the calling-station-id attribute in the radius access request , and if the mac address of the machine is the same as one of those cached, then the ACS will consider machine as authenticated. after that the user can login using username and password.

In your scenario , you have the machine already authenticated via wired connection, so it has a record cached on ACS.

Later on if a user tries to connect via wireless there is no need for machine authentication , only username and password are required when MAR is enabled.

A lot of people are reporting the following issue:

MAR can sometimes inadvertently lock out a legitimate client, forcing the client to reboot in order to gain access to the

network. WOW

We mentioned before that machine authentication is triggered upon booting the windows machine. so we have to link this fact with the workaround to overcome the issue mentioned before.

Lets consider the following scenario:

user x has been working properly all the day , his shift was over , he closed the lid and headed home.

The next day he opened the pc , tried to login with username and password no access ?? what happenned

Well , with MAR enabled , the machine was cached on ACS , when he went home the machine record has been expired

from the ACS, so the machine now is not listed. he tried to authenticate with username and password, but the calling station id has a MAC that is not cached any more on ACS ( unauthenticated machine ). So he should trigger machine authentication again to connect with his username and password, What should he do ?? he should reboot his machine.

from now and then he can disconnect and connect using his username and password till the entry is no longer cached.

He should have logged off when  he went home to avoid such issue and shut down his machine.

Hibernated machine won't trigger machine authentication when back online.

As  a conclusion:

Although MAR is a good feature, it has potential to cause network disruptio. These disruptions can be difficult to troubleshoot until you understand the way it works. When implementing MAR, it is importnant to educate your end users on how to properly shut down computers and to log off every machine at the end of the day.

I hope this has been informative

-----------------------------------------------------------------------------------------------------------

Please Don't Forget to rate correct answers

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to maldehne

‎02-26-2013 08:39 AM

Thank you for the nice and detailed write up maldehne (+5) from me. Now, if you can get the develpment team to re-open and address this bug/enhancement request (CSCtq11470) then a lot of people would be really happy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents