cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3531
Views
24
Helpful
6
Replies
sqambera
Beginner

Certificate based authentication with EAP chaining

Hi everyone,

My question is about EAP-TLS and EAP Chaining. I know EAP-TLS is used for certificate based authentication. I am thinking of using it with EAP Chaining which employees both machine and user authentication. So if we use EAP-TLS with EAP chaining, would it mean that ISE will validate user certificate as well as machine certificate? I am not even sure whether there is anything which is called user certificate. Not a Microsoft guy.

My second question is that is there a way that we could use simultaneously both certificate and username/password for authentication?

I'd highly appreciate any explanation or reference document that could help to clarify my concept about it.

Thanks,

Qamber

1 ACCEPTED SOLUTION

Accepted Solutions

Yes, with EAP-Chaining you can do both machine and user certificate authentication at the same time.

Yes, you can use EAP-TLS and PEAP/MSCHAPv2 also in the same authentication, this is whats special about EAP-Chaining, and why it's requires anyconnect nam. When you define your anyconnect configuration, you will be asked if you wan't to do user, machine or user and machine authentication, and you will get two seperate config settings, one for user and one for machine, and you can select any EAP method in those, they don't have to be the same.

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

View solution in original post

6 REPLIES 6
jan.nielsen
Rising star

So first off, EAP-Chaining requires anyconnect nam installed, and is windows only. Windows has a concept of a user and a machine, which have different credentials. EAP-Chaning allows you to tunnel EAP-TLS or PEAP thorugh EAP-Chaining (actually it's technically EAP-FAST).

So EAP-Chaining allows you to bind your machine identity and your user identity together in an ISE policy, so you can see what user is logged in, to which machine, and ensure that only valid machines can be used to log in as a user. EAP-Chaning also allows for different eap types in the same authentication, which means you can use EAP-TLS for machine certificate authentication, combined with PEAP/AD user login. In ISE, you can then use the attribute EAPchaingresult, to make check if the authentication has passed both user and machine login. Hope that answers some of your questions.

Many thanks Jan for your reply. Its really helpful.

So based on description about EAP chaining and that you said "you can use EAP-TLS for machine certificate authentication", does it mean that through EAP chaining in EAP-TLS, ISE can check both machine and user certificate in same authentication?

I understand from your response that answer to my second question whether or not we can use certificate based authentication (EAP-TLS) with AD username/password for authentication together is yes. But I am not sure how it would be done because outer protocols like PEAP or EAP-FAST select internal EAP type like either MD5, MSCHAP or EAP-TLS. So would it be like we select both EAP-TLS and MSCHAP in EAP-FAST/PEAP? 

Thanks again,

Qamber

Yes, with EAP-Chaining you can do both machine and user certificate authentication at the same time.

Yes, you can use EAP-TLS and PEAP/MSCHAPv2 also in the same authentication, this is whats special about EAP-Chaining, and why it's requires anyconnect nam. When you define your anyconnect configuration, you will be asked if you wan't to do user, machine or user and machine authentication, and you will get two seperate config settings, one for user and one for machine, and you can select any EAP method in those, they don't have to be the same.

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

View solution in original post

Thanks Jan. I appreciate your time and effort to answer my questions.

Hi Jan.

 

Is it possible to do the same with mac computers? (With the NAM module

 

They do have a computer store, and it is possible to install both a Computer and a User certificate on them.

u cant authenticate the same entity (f.e. user) with different approaches (f.e. EAP-TLS or MSCHAPv2) simultaneously. it's senseless. 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel