cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2290
Views
10
Helpful
4
Replies
Beginner

802.1x AD User and Machine authentication

Hello,

Sorry that this has been asked a dozen times or more, but I can not find anything current that directly answers the question.

 

I am trying to authenticate users based on both AD user group and machine name or group using ISE 2.3. Machines are Windows 7, Windows 10 and MAC OS. At current, I am authenticating users based on their AD group, but this does nothing to prevent a user bringing in their own laptop and connecting to the internal network with their AD credentials.

 

I have found some solutions using MAR or the AnyConnect client, but neither of these are viable solutions, and those articles are from 2010-2013. I am hoping a solution has been developed over the past 5 years.

 

I have one line in my RADIUS logs, AD-Host-Resolved-Identities, that shows the computer name, but I can not find a rule in the policy set attributes for it. 

 

Any help would be much appreciated. 

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Advisor

Re: 802.1x AD User and Machine authentication

Hi

Except MAR and EAP chaining, there's not a lot more ways.
You can authenticate machines using PEAP and then redirect to a portal to force users to type in their credentials (CWA chaining)


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Beginner

Re: 802.1x AD User and Machine authentication

You could try to profile your corporate assets, one example I have seen is to set a custom DHCP class identifier on your corporate laptops, then you can build a profiling policy which looks for that custom classID in the request and only authenticates the user if that custom classID is found.

You could also perform posture checks, looking for something specific form your corporate OS build (registry key, file, etc.) 

Another option would be to issue certificates to both users and computers and mark the certificates as not exportable. Then you would be quite certain that if the certificate is presented to ISE, it is coming from a corporate asset/user. But if you currently don't have PKI infrastructure set up in your organization, that would be a lot of work then.

I realize that none of these options are straightforward...just possible suggestions I was thinking about.

View solution in original post

4 REPLIES 4
VIP Advisor

Re: 802.1x AD User and Machine authentication

Hi

Except MAR and EAP chaining, there's not a lot more ways.
You can authenticate machines using PEAP and then redirect to a portal to force users to type in their credentials (CWA chaining)


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Beginner

Re: 802.1x AD User and Machine authentication

You could try to profile your corporate assets, one example I have seen is to set a custom DHCP class identifier on your corporate laptops, then you can build a profiling policy which looks for that custom classID in the request and only authenticates the user if that custom classID is found.

You could also perform posture checks, looking for something specific form your corporate OS build (registry key, file, etc.) 

Another option would be to issue certificates to both users and computers and mark the certificates as not exportable. Then you would be quite certain that if the certificate is presented to ISE, it is coming from a corporate asset/user. But if you currently don't have PKI infrastructure set up in your organization, that would be a lot of work then.

I realize that none of these options are straightforward...just possible suggestions I was thinking about.

View solution in original post

Beginner

Re: 802.1x AD User and Machine authentication

Thanks for the detailed response. I have been trying to do the machine cert + user auth method, but I must admit that my overall understanding of the cert process is a bit lacking. I have added our interal CA as a trusted source, but I am not entirely sure what cert the user machine passes to ISE or how to dictate that process. I have tri d exporting certs from ise, putting them on the machine and then setting the wireless profile to use it as the validation cert for the connection, but that has not worked.

 

Highlighted
Beginner

Re: 802.1x AD User and Machine authentication

This would generally be the sequence:

1. Upload your CA cert under the Trusted certificates in ISE and make sure you mark it as "Trust for client authentication and Syslog".

2. In ISE go to "Certificate Signing Requests" and generate a new CSR, select "EAP Authentication" as the intended purpose

3. Go to your CA and issue a new certificate for your ISE with the "Server authentication" purpose based on the CSR you generated

4. Go back to "Certificate Signing Requests" section in ISE and bind the CSR

5. Import CA cert into the client

6. Issue certificates to your clients, make sure the template has "Client authentication" as the purpose.

 

This is a very high level description, but that is generally the idea - client must present a certificate issued from CA that ISE trusts and ISE must present a certificate that client trusts.