Re: 802.1x machine vs user authentication

eit-homing · ‎02-25-2005

In the process of depolying 802.1x on wired LAN. What is the difference between machine authentication and user authentication? Thanks in advance.

jafrazie · ‎02-25-2005

This should help:

<http://www.cisco.com/application/pdf/en/us/guest/netsol/ns75/c685/ccmigration_09186a0080259020.pdf>

For Microsoft's supplicant, you see this as "Authenticate as computer when computer information is available"

<http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/8021x_client_configure.asp>

eit-homing · ‎03-01-2005

If I need to use both user and machine authentication, do I have to use EAP-TLS? So EAP-PEAP only uses user authenticate? Thanks.

jafrazie · ‎03-01-2005

Assuming we're talking the Native Supplicant avail in the OS from MSFT, then you can only do EAP-TLS or PEAP for machine-auth. Also, whatever you do for machine-auth, you also need for user-auth.

eit-homing · ‎03-01-2005

Thanks. Yes. I am using Native Supplicant from MSFT. So any difference between using TLS or PEAP? I would like to decide which one should I implement.

jafrazie · ‎03-01-2005

There are differences between PEAP and TLS, probably outside of the scope of this post. Want to discuss it here?

The msot notable need or difference for TLS is the use of certificates. You'd need one for the machine, and one for every user that logs into your machine. Per PEAP, you should need no client-side certs, assuming network trust is a given.

Hope this helps,

eit-homing · ‎03-02-2005

If I need to prevent guest users and domain users with their own laptop to get acess to our LAN, I would like to setup so that Domain users can only log on using a known devices. what would you recommended?

Do I need to use both machine and user authentication? Thanks.

jafrazie · ‎03-02-2005

OK, so assuming we're still talking the MSFT supplicant, you have some options:

1) USe EAP-TLS and mark any certs deployed to your corporate-owned assets and non-exportable. This solves the issue by brute force. You don't exactly need machine-authentication to do this. You may need machine-auth for other reasons (as I believe we've discussed here).

2) If PEAP is in use, use the machine-auth and the Machine-Access-Restriction feature in ACS. What this does is a coupling of the notions of machine-auth as a preceeding policy decision for user-auth. Example: It is technically possible that anyone with a valid NT account may be able to 802.1x-authenticate from "any" machine. But with the machine-access-restriction feature, they will only be able to do so if ACS has also authenticated a valid machine-auth session prior to the login attempt.

3) Use a NAR in ACS. A NAR is a Network Access Restriction. If for example, you have a database of all the MAC Addresses you have (or an OID wildcard) you can configure further checking of a MAC address from an otherwise valid 802.1x authentication attempt. This effectively tells ACS to only allow authentication attempts from MAC Addresses it knows about.

Hope this helps.

mark.cronin · ‎02-02-2007

Are there any limitations in using the

ACS appliance ver4 and remote agent when

trying to use PEAP machine authentication