Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
682
Views
5
Helpful
5
Replies

permit only one identity on ISE 1.3

Go to solution
ITZEL POSADA RAMIREZ
Level 1
Level 1

‎08-31-2015 11:30 AM - edited ‎03-10-2019 11:00 PM

I have ISE 1.3 with one authentication and authorization policy with EAP-TLS. Works correctly, but i saw in the authentications report,  an identity with two different mac address and were allowed by policys.

 

I need permit only an identity with one device. Because the user copied his certificate on other device and got access the network.

 

Is possilble make this?

 

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7

‎09-01-2015 10:27 AM

ISE does not support restricting an identity to only be used with one device in this scenario. If your PC's are AD enrolled machines, then you could use a machine certificate enrolled by the internal pki with a GPO, and then set the certificate template to not allow export of the private key, then exporting the certificate won't be an easy hack for a regular user (it can be done).

Also, maybe ask the user, why they are doing this, there could be a valid reason.

View solution in original post

Go to solution
jan.nielsen
Level 7
Level 7
In response to ITZEL POSADA RAMIREZ

‎09-02-2015 03:35 AM

So, if they are not AD enrolled, how are you installing the certificates on them, or are users doing this themselves, are they windows pc's or all sorts of machines ?

As i said earlier, there is no way of restricting an identity from having more than one session, in this scenario. Only when using guest access with central web auth in ISE, is it possible to do this kind of restriction, and it is normally just used to only let the guest be online with one device at a time, not to restrict which devices they can use, however it does not work for 802.1x authentication.

One way, to limit the problem, could be to include the mac address of the device in the certificate (which can be done with BYOD provisioning of certs with ISE), and then check if the actual mac address sent by the device is the same as whats in the cert. This can of course be bypassed as well, but not quite as easily.

Just out of curiosity, what type of environment is this ? Enterprise, Medical,  Educational or somehing else ?

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
jan.nielsen
Level 7
Level 7

‎09-01-2015 10:27 AM

ISE does not support restricting an identity to only be used with one device in this scenario. If your PC's are AD enrolled machines, then you could use a machine certificate enrolled by the internal pki with a GPO, and then set the certificate template to not allow export of the private key, then exporting the certificate won't be an easy hack for a regular user (it can be done).

Also, maybe ask the user, why they are doing this, there could be a valid reason.

Go to solution
ITZEL POSADA RAMIREZ
Level 1
Level 1
In response to jan.nielsen

‎09-01-2015 02:20 PM

Hi Jan Nielsen

 

Don't have AD enrolled machines, is for this reason that only use eap-tls policy.

 

Is posible create one policy that permit only one session for CN validated in certificate?

 

And the reason because the users are doing this is for use personal device. This isn't permit.

 

Thanks

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to ITZEL POSADA RAMIREZ

‎09-02-2015 03:35 AM

So, if they are not AD enrolled, how are you installing the certificates on them, or are users doing this themselves, are they windows pc's or all sorts of machines ?

As i said earlier, there is no way of restricting an identity from having more than one session, in this scenario. Only when using guest access with central web auth in ISE, is it possible to do this kind of restriction, and it is normally just used to only let the guest be online with one device at a time, not to restrict which devices they can use, however it does not work for 802.1x authentication.

One way, to limit the problem, could be to include the mac address of the device in the certificate (which can be done with BYOD provisioning of certs with ISE), and then check if the actual mac address sent by the device is the same as whats in the cert. This can of course be bypassed as well, but not quite as easily.

Just out of curiosity, what type of environment is this ? Enterprise, Medical,  Educational or somehing else ?

 

0 Helpful

Go to solution
ITZEL POSADA RAMIREZ
Level 1
Level 1
In response to jan.nielsen

‎09-02-2015 11:42 AM

The users install the certificates them. All pc's are windows.

 

And is educational.

 

Thanks for the information, I will comment the client.

 

Regards

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to ITZEL POSADA RAMIREZ

‎09-02-2015 11:42 PM

Jan is correct if you want to add an an additional layer you can use CWA chainin where the user will be redirected to a portal to enter username and password.

0 Helpful
Customers Also Viewed These Support Documents