Can anyone tell me the settings for the Windows 7 supplicant that works with ISE and PEAP using machine authentication? I have an authorization profile that permits the user login only after machine 'WasAuthenticated'. I have only found this to work by setting the Windows 7 supplicant up to use Single-Sign-On before Windows logon and to specify 'User or Machine' authentication. Then I'm only successful if I have both wired and wireless connected/on and I perform a logoff/reboot. Surely this isn't right. What if a user logs on without any connection with cached credentials and then wants to use wireless? Can't they just perform both machine and user auth over the wireless connection regardless of prior machine/auth states? I used the videos from LABMINUTES to configure the policies, but I don't need the ACLs for the WLAN controller because these are autonomous APs.
Microsoft will send both and only cares if one passes. This is the same with radius. ACS and ISE allows you to check to see if the user was authenticated which happens initially on boot. After the initial machine auth, the windows machine will only send user creds. The was machine auth is a workaround to be able to do both. The issue is that when the timeout of the machine creds happen, the devices has to be rebooted. In Cisco Live 2012, they even suggested you don't do this due to not knowing when the cached credentials ACS or ISE will keep this info.
Sent from Cisco Technical Support iPhone App
Quick one. If Cisco suggests not to use 'was machine authenticated' within ISE, then how can we enforce policies in a case when I want to provide three different levels of access depending on
This works well, if 'was machine authenticated' is used within the policy. However, as you stated, this information expires over time (or, if user logs in using cached credentials at home, puts PC into standby and gets into the office - there will be no machine related session on ISE). Actually, in this last case I can present a redirect web page to them asking users to log off / log on to enforce the policies... but it doesn't seem like a good approach if during the day machine authentication state expires and user is forced to re-loging again.
After reading for a while, the only feasible approach would be to deploy EAP-FAST with EAP chaining. This will allow to authenticate both, machine and user using single authentication flow. Machine and user will be authenticated every time.
This can be achieved with the help of AnyConnect NAM, or a registry patch for Windows 7 and 10 which enables EAP-FAST for Native supplicant. I am going to try this soon and if won't forget will update this post :)
After I performed my tests I can confirm the following
a) Native Supplicant patch which enables EAP-FAST in Windows doesn't support EAP-Chaining. If you want to use Machine Authentication coped with User Authentication via EAP-FAST you HAVE to use AnyConnect NAM and its EAP-FASTv2
b) AnyConnect NAM kills ALL possible Key Caching Methods. That is officially confirmed by Cisco BU engineers when I asked them about it during Cisco Live. Windows doesn't share API for cached credentials, hence if you deploy NAM you loose features like OKC, CCKM and 802.11r - period.
So, in this case it's a choice of security VS seamless roaming especially if you have WAN separated branches with centralized ISE
It's not just EAP-FAST, once you start using NAM instead of Native Supplicant you lose key caching. Regardless of the EAP method. That's why we ended up using EAP-TLS with Machine and User certificates (non-exportable) over Native Supplicant. This kind of simulates the following: if PC logged in using Machine certificate then it's PC level of access, otherwise if it's corporate user, then we know he/she comes from corporate ASSET. Non corporate asset will have no user certificate on it.
As to the TEAP, I am not sure. Last time I checked Window 10 there was no way to do TEAP with Native Supplicant and because NAM doesn't support key caching I haven't even looked into it anymore.