cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2201
Views
0
Helpful
7
Replies

Windows 7 Supplicant Configuration - ISE PEAP w Machine Auth

Scott Pickles
Level 4
Level 4

Can anyone tell me the settings for the Windows 7 supplicant that works with ISE and PEAP using machine authentication?  I have an authorization profile that permits the user login only after machine 'WasAuthenticated'.  I have only found this to work by setting the Windows 7 supplicant up to use Single-Sign-On before Windows logon and to specify 'User or Machine' authentication.  Then I'm only successful if I have both wired and wireless connected/on and I perform a logoff/reboot.  Surely this isn't right.  What if a user logs on without any connection with cached credentials and then wants to use wireless?  Can't they just perform both machine and user auth over the wireless connection regardless of prior machine/auth states?  I used the videos from LABMINUTES to configure the policies, but I don't need the ACLs for the WLAN controller because these are autonomous APs.

Regards,

Scott

7 Replies 7

Scott Fella
Hall of Fame
Hall of Fame

Microsoft will send both and only cares if one passes. This is the same with radius. ACS and ISE allows you to check to see if the user was authenticated which happens initially on boot. After the initial machine auth, the windows machine will only send user creds. The was machine auth is a workaround to be able to do both. The issue is that when the timeout of the machine creds happen, the devices has to be rebooted. In Cisco Live 2012, they even suggested you don't do this due to not knowing when the cached credentials ACS or ISE will keep this info.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Hi Scott.

 

Quick one. If Cisco suggests not to use 'was machine authenticated' within ISE, then how can we enforce policies in a case when I want to provide three different levels of access depending on

  1. Machine is Authenticated (access to DHCP/DNS/AD only)
  2. Machine and User are authenticated (or read it differently, AD user is using AD machine) - full access
  3. AD user credentials only - no access, as for example, I don't want users to put their creds on iPhone and get full access to the corporate network.

This works well, if 'was machine authenticated' is used within the policy. However, as you stated, this information expires over time (or, if user logs in using cached credentials at home, puts PC into standby and gets into the office - there will be no machine related session on ISE). Actually, in this last case I can present a redirect web page to them asking users to log off / log on to enforce the policies... but it doesn't seem like a good approach if during the day machine authentication state expires and user is forced to re-loging again.

After reading for a while, the only feasible approach would be to deploy EAP-FAST with EAP chaining. This will allow to authenticate both, machine and user using single authentication flow. Machine and user will be authenticated every time.

 

This can be achieved with the help of AnyConnect NAM, or a registry patch for Windows 7 and 10 which enables EAP-FAST for Native supplicant. I am going to try this soon and if won't forget will update this post :)

Hello, I agree with you! I am adding here really nice interesting description of MAR cache behaviour https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html
Jakub

Thanks Jakub!

 

After I performed my tests I can confirm the following

 

a) Native Supplicant patch which enables EAP-FAST in Windows doesn't support EAP-Chaining. If you want to use Machine Authentication coped with User Authentication via EAP-FAST you HAVE to use AnyConnect NAM and its EAP-FASTv2

 

b) AnyConnect NAM kills ALL possible Key Caching Methods. That is officially confirmed by Cisco BU engineers when I asked them about it during Cisco Live. Windows doesn't share API for cached credentials, hence if you deploy NAM you loose features like OKC, CCKM and 802.11r - period.

 

So, in this case it's a choice of security VS seamless roaming especially if you have WAN separated branches with centralized ISE

 

Thanks for the information about caching mechnism, I didn't know that the caching
is not supported in case AC and EAP-FASTv2 is used, this is new info for me!

Yes, this is well-known, Windows OS is using EAP-FASTv1 only, which do not support the EAP-FAST EAP-Chaining - so you are right the only way is to used the EAP-FASTv2 in AC...

And what about the support of EAP-TEAP in Windows and ISE 2.x(4), I suppose TEAP is still not supported by well-known vendors like Cisco, etc? Do you have some actual info about it?

Regards,
Jakub

It's not just EAP-FAST, once you start using NAM instead of Native Supplicant you lose key caching. Regardless of the EAP method. That's why we ended up using EAP-TLS with Machine and User certificates (non-exportable) over Native Supplicant. This kind of simulates the following: if PC logged in using Machine certificate then it's PC level of access, otherwise if it's corporate user, then we know he/she comes from corporate ASSET. Non corporate asset will have no user certificate on it.

 

As to the TEAP, I am not sure. Last time I checked Window 10 there was no way to do TEAP with Native Supplicant and because NAM doesn't support key caching I haven't even looked into it anymore.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: