cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1158
Views
0
Helpful
9
Replies

dot1x machine auth before user auth required

We are looking at setting up dot1x in our libraries however I have been asked to see if there is a way to force a switch port to require machine auth before user auth.  The reason for this is a problem we have that users will disconnect the ethernet cable from the library computer and plug it into theirs.  If they have an AD account, they could in theory authenticate on this port. We want to discourage them from disconnecting these ports as we then don't know the computer has been unplugged and then it is no longer on the network and doesn't get updates/ghosted.

Also, would it maybe be better to just allow a specific group of user accounts to connect to these jacks, and if so what would be the best way?  Location settings on the port?

We are using ISE 1.2 to do authentication for these switches.

9 Replies 9

nspasov
Cisco Employee
Cisco Employee

Hi Zach-

There are several different ways to prevent non-domain computers from gaining access to the network. I will try to list a few of them starting with the easiest and least expensive/labor intensive methods:

1. Do only Machine-based authentication. This eliminates the user from having to enter credentials and ISE will simply query AD for valid computer domain membership.

2. Use EAP-Chaining. This is the only method that truly gives you user+machine authenticaiton. However, it does require that you push the Cisco Any-Connect client to all endpoints

3. Deploy PKI and use EAP-TLS authentication with Digital Certificates. With this method only domain computers/users can get a certificate and ISE can still query AD for user or machine AD membership

4. Perform Posture and check for something that is domain specific. For instance, a fake registry key or file that is being created when a machine joins to the domain. With this method ISE can still ask for User authentication but also require posture check. You can then set the policy that if posture fails but user auth succeeds then the user will only get guest access.

I hope this helps.

Thank you for rating!

Neno, is there a way that you can think of to limit machine auth to a specific port?  I was looking at possibly using:

location additional-location-information library

.. on the port config (with 'library' as my example) and maybe using this in ISE to say that if you are coming from this 'library' location that:

  • The port would have had to be already authenticated via machine auth
  • only specific AD user groups can authenticate.

Our network is too large to have one cookie cutter config for all ports, some ports will do machine only, some will do machine/user and some will do user and some will be wide open.

- Zachary

You can definitely have different types of authentications based on the NADs location and the NADs port number. All of these are attributes that you can specify in your "Authentication and Authorization" rules. However, in order to truly do Machine+User authentication you must use the Cisco AnyConnect client. Which brings me to the next topic/problem which is how are you going to configure and control the endpoint supplicant configuration. In order to keep things simple you should have the same supplicant configuration but then have multiple authentication/authorization rules that can accommodate different types of scenarios. ISE just processes the rules from top-to-bottom so as soon as it hits a match an action is taken.

With that being said, you can create policy sets for each campus/library and perhaps match the rule based on the NAD location. Within the policy set you can configure several rules starting with the more specific one. For example, rule #1 can be "Domain Machine Authentication" which would give you full access. Rule #2 would be "User Access" which will only give you limited access. Rule #3 would be the default rule which will just give you Internet access.

Thank you for rating!

I've been trying to figure out how to get the location that I configure on the interface to show up in the radius packet.  I guess what would be better would be able to maybe set the radius nas identifier on the interface, but I can't seem to find anything that will do that.

If it is location that would do it, I tried adding it as a civic address and then adding that to the port, adding it to ISE and then choosing that, but it skipped right past the rule.

conf t

location civic-location identifier library

int gi 1/0/1

  location civic-location-id library

Basically think of it this way, if we had a 24 port switch:

1-12 - Library computers ONLY

13-24 - Public jacks

From all the googling I've done I can't find anything that would let me configure ports 1-12 to send some kind of radius attribute to the radius server.  Maybe I've missed something?

You should try using the NAD (Switch) location. So you create a device group called switches. Then a location group called "Location-A". Then add the switch to those groups. Then you in your authorization rules you can use the "Location" attribute that I believe is located under "Device"

With regards to ports. I don't recall how you can reference those but I am pretty sure you can. However, a better way maybe to configure all ports the same but utilize different rules that I mentioned above:

If domain computer

then full access

if domain user

then limited access

default rule

put the port in a guest vlan

Thank you for rating!

Yes, I know I can add switches to a location, however our switches are shared for many different services which is why I'd like to have it work down to the port level.

Unfortunately it does not appear that the "location" informaiton under each port is being passed as a Radius attribute. I just tested this in my lab and it does not work. The only thing port-related that is passed is the "NAS Port ID" which corresponds to the interface name. For instance, "GigabitEthernet0/1" so I am not sure if this would be helpful or not.

Thank you for rating!

Nope, that won't do it.  Our Cisco SE found this (as he is looking on his side too) but I don't think it is what we want

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swlldp.html#wp1086641

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: