Solved: Re: Best authentication method for controlling DEVICE access to

Konnan19183 · ‎05-06-2013

Hello,

I have a similar question to this thread ( https://supportforums.cisco.com/message/3927713 ) but I'm interested about device control on top of user control. Just like that thread, we are using WPA2-AES Enterprise with PEAP MSCHAPv2, which allow users to log on with their domain credentials. We wanted something simple for our users, so MSCHAPv2 with "single sign on" was optimal to us.

Problem is, we have a new requirement and we need to implement it yesterday. We would like to allow only mobile devices and computers of our choice.

Since we are using MSCHAPv2 which allow every domain user to connect using any device as long as their domain credentials are valid, is there a simple way to control this ?

I guess we could go with MAC filtering, but we have about a thousand laptops. Not a big problem, we could do a regular MAC address inventory using SCCM. It's just that it looks like a brute force tactic to a simple problem. Would a Cisco ACE 4.1 RADIUS server tolerate well a MAC address table with a thousand entries ? What if it goes to two thousands ? Would this be easy to implement ? I'm a bit new to this, is there some documentation I could follow ?

How do people usually do this in an elegant way ? How do you manage and control WLAN access to thousands of device ? I guess they go with TLS with certificates ?

Thank you very much !

Konnan

Scott Fella · ‎05-27-2013

Konnan,

Just saw your PM:)

Would it be possible to configure Access policies even if our Radius servers aren't joined to the domain ?

> I really don't know... typically all my installs have the radius server joined to the domain. I don't know what limitations you would have using the setup you currently are using.

Still wondering if it would be a good path for us, because of the computer authentication issue where it happens only at logon in Windows if I read correctly and our users don't have the habit to log off frequently and we use only manual connection mode when the user already has his session open. I guess MAR will have to be set to a stupid high value... if it even works.

> Well you need to sit down with everyone who is involved and really think out what works best for you. Machine authentication works well, but then people wonder what happens if someone logs in that isn't authorized and that because the computer is a domain computer it automatically gets on the network. Well your not going to get everything you want:) So PEAP has issue because IT wants to limit the user to only be able to access using a company owned device... well, then ISE is your fix. You can add a certificate that ISE can see and if that device has that or a registry value and the user is allowed to access the network, the authentication is allowed, or else it will not be. EAP-TLS... well more work since you need a PKI infrastructure and both the radius and the clients need a cert...

No matter what, you need to decide what works best and don't over complicate it with adding mac filter, etc.

I'm wondering if EAP-TLS wouldn't be better for the long term, maybe with MAC Address restriction on the short term...

> See above

I'm also wondering if we could stay with PEAP MSCHAPv2 but use an NPS Radius server from Microsoft which allow to use complex policies instead of the Cisco ACS Radius server...

> You need to know how to setup and configure the policies... either one will work, but if your on ACS 4.x, I would look at upgrading to 5.4. ISE is replacing ACS as far as the radius portion, but tacacs isn't yet available on ISE.

There's also the Cisco ISE, which seems to be equivalent to Microsoft NPS... a bit more costly OTOH.

> ISE allows you to profile devices so you know what device is accessing your network. Again, ISE is replacing ACS as far as the radius, but tacacs will soon be out and available for ISE. If you really want to create crazy profiles, then ISE is the way to go. You can specify that this user group is allowed wireless, but it has to be a domain computer. The user isn't allowed access if its not a domain computer. The same user group is allowed access with company iPads (certificate installed), but not have access with personal iPads, tablets or smartphones.

Hope this helps.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎05-06-2013

When you have a requirement on knowing device type along with user credentials, your best bet is to look at Cisco ISE. This will handle the radius but allows you to profile devices so you can set policies to users and or users devices. With other radius servers, your really trying to figure out a workaround that most of the time doesn't work well.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Konnan19183 · ‎05-06-2013

Hello Mr. Fella,

Thank you very much for your advice. Much appreciated, I will have a look at the Cisco ISE.

On the other hand, what do you think about my workaround of MAC filtering, is it even possible ? Or about TLS with certificates ?

Thanks again,

Konnan

Scott Fella · ‎05-06-2013

Either will work okay, Mac filter is a management nightmare though and doesn't help if the MAC address is spoofed. Now EAP-TLS would work as long as the devices are on the domain and you have a CA to issues certificates. You can also use PEAP doing machine authentication also which of course will only allow domain computers to authenticate.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Konnan19183 · ‎05-06-2013

Hello Mr. Fella,

Thank you very much again, you are quick !

PEAP with machine authentication, sounds interesting to me ! Does that works well usually ? You mean you both authenticate the machine at first, then the user after... that would be what we are looking for...

For EAP-TLS, we do not have a CA, we would generate our own certificate and push it thru SCCM to devices of our choice... not elegant, but AFAIK it should work.

For MAC Address, even with thousands of entries in the MAC filtering table, Cisco ACE 4.1 RADIUS should manage it well ?

Is there any valable alternative to you besides Cisco ISE ?

Thank you very much,

Konnan

Scott Fella · ‎05-06-2013

No... Machine auth just does the machine and works well if you are doing any type of login scripts. There isn't a true two factor with just using radius unless you either use a proprietary EAP-TTLS or ISE with AnyConnect.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Konnan19183 · ‎05-07-2013

Hello Mr. Fella,

I'm wondering, I hope it doesn't sound too stupid... Would machine authentification works after the user has logged on ?

We set the connection to manual so that users are by default on the wired network when they log on, and they have to manually connect to the WLAN if needed. Our wired network is much faster and stable, so we want them to use wireless only on the move and in conference rooms.

I'm asking it because what I'm seeing is that most people do machine authentification right at the logon screen before the user has to log on.

Thanks,

Konnan

Scott Fella · ‎05-07-2013

Machine authentication happens first... This is a WIndows process not a WLC or wireless process. Windows will send the machine credentials first, then it will send user information every time after that. This doens't mean you can use both as Windows does Computer OR User not BOTH. Machine authentication is good to use especially if you want the machine to authenticate to the network prior to any login scripts.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Konnan19183 · ‎05-07-2013

Hello again Mr. Fella,

Thanks alot for your input.

I read alot on the subject of machine authentication, like this documentation https://supportforums.cisco.com/docs/DOC-21825 and associated threads.

In our domain, the ACS Radius servers are not joined to the domain, we use ACS-remote software installed on a server joined to the domain to do an authentication relay between the ACS Radius server and Active Directory.

Would it be possible to configure Access policies even if our Radius servers aren't joined to the domain ?

Still wondering if it would be a good path for us, because of the computer authentication issue where it happens only at logon in Windows if I read correctly and our users don't have the habit to log off frequently and we use only manual connection mode when the user already has his session open. I guess MAR will have to be set to a stupid high value... if it even works.

I'm wondering if EAP-TLS wouldn't be better for the long term, maybe with MAC Address restriction on the short term...

I'm also wondering if we could stay with PEAP MSCHAPv2 but use an NPS Radius server from Microsoft which allow to use complex policies instead of the Cisco ACS Radius server...

There's also the Cisco ISE, which seems to be equivalent to Microsoft NPS... a bit more costly OTOH.

Thank you very much,

Konnan

Scott Fella · ‎05-27-2013

Konnan,

Just saw your PM:)

Would it be possible to configure Access policies even if our Radius servers aren't joined to the domain ?

> I really don't know... typically all my installs have the radius server joined to the domain. I don't know what limitations you would have using the setup you currently are using.

Still wondering if it would be a good path for us, because of the computer authentication issue where it happens only at logon in Windows if I read correctly and our users don't have the habit to log off frequently and we use only manual connection mode when the user already has his session open. I guess MAR will have to be set to a stupid high value... if it even works.

> Well you need to sit down with everyone who is involved and really think out what works best for you. Machine authentication works well, but then people wonder what happens if someone logs in that isn't authorized and that because the computer is a domain computer it automatically gets on the network. Well your not going to get everything you want:) So PEAP has issue because IT wants to limit the user to only be able to access using a company owned device... well, then ISE is your fix. You can add a certificate that ISE can see and if that device has that or a registry value and the user is allowed to access the network, the authentication is allowed, or else it will not be. EAP-TLS... well more work since you need a PKI infrastructure and both the radius and the clients need a cert...

No matter what, you need to decide what works best and don't over complicate it with adding mac filter, etc.

I'm wondering if EAP-TLS wouldn't be better for the long term, maybe with MAC Address restriction on the short term...

> See above

I'm also wondering if we could stay with PEAP MSCHAPv2 but use an NPS Radius server from Microsoft which allow to use complex policies instead of the Cisco ACS Radius server...

> You need to know how to setup and configure the policies... either one will work, but if your on ACS 4.x, I would look at upgrading to 5.4. ISE is replacing ACS as far as the radius portion, but tacacs isn't yet available on ISE.

There's also the Cisco ISE, which seems to be equivalent to Microsoft NPS... a bit more costly OTOH.

> ISE allows you to profile devices so you know what device is accessing your network. Again, ISE is replacing ACS as far as the radius, but tacacs will soon be out and available for ISE. If you really want to create crazy profiles, then ISE is the way to go. You can specify that this user group is allowed wireless, but it has to be a domain computer. The user isn't allowed access if its not a domain computer. The same user group is allowed access with company iPads (certificate installed), but not have access with personal iPads, tablets or smartphones.

Hope this helps.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Konnan19183 · ‎05-28-2013

Hello Mr. Fella,

Thanks alot for your time. I will think about it. I marked that post as the definitive answer to this thread. :-)

Have a nice week and thanks again,

Konnan

Scott Fella · ‎05-28-2013

No problem. Sorry for the late follow up.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎05-06-2013

With radius you can users filter and they are okay with that. Again... Radius is good to authenticate computer or user but not device type, etc. that you would need ISE which can profile a device.

I can say that an internal user can authenticate using a domain computer that has a cert or reg entry, but an internal user can't access using a smartphone but can have Internet access if its a tablet.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Ali Bahnam · ‎06-09-2013

Dear Scott,

Can you advise if it is possible to limit the users access to the WLAN, by another word I need to limit the access for the user to two devices only by his domain credantilals??

are there any configuration that I can add on the ISE??

Regards,

Scott Fella · ‎06-09-2013

I don't think that is possible until the next release of ISE. There have been some post in regards to the same question that I have seen. Might have to wait until the next release of ISE. Te WLC has a max login count but that's global and only works if the auth is passing through the same WLC:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Best authentication method for controlling DEVICE access to wlan