cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4364
Views
18
Helpful
6
Replies

User AND Machine Auth - Sleep mode

junk1
Cisco Employee
Cisco Employee

Hi

I am currently working for a DNA SDA customer on the ISE part. They are shifting from ISE 1.4 dACL based authorization (Machine Only) to DNA SDA TrustSec based authorization (User AND Machine). I am proposing AnyConnect for the solution against which the customer is reluctant to, as they already have many other client software in their endpoints.

To convince the customer, it would be great if you could confirm if my below understanding is correct.

////

In Machine-Only Authentication with Native Supplicant, when the machine restores back from sleep/hibernate mode, the Supplicant sends Machine credentials and gets authenticated automatically without user intervention.

In User-AND-Machine Authentication mode with Native Supplicant, when the machine restores back from sleep/hibernate mode, the Supplicant sends User credentials ONLY and NOT machine credentials. This behaviour is because of the User OR Machine credentials way of working in Windows Native Supplicant.

////


I see that in ISE 2.3, there is an option to extend the MAR cache time to 365 days. Could you please confirm if we set the MAR cache aging time to 365 days, then the endpoints that restores back from sleep mode for a Machine AND User authentication will not fail? Apart from the security risk that any non-Corporate machine with same hostname and MAC address can get authenticated through same switch port, technically we don't need AnyConnect with this feature?


Please help me understand the behaviour of Windows machine with User or Machine authentication enabled while restored from sleep mode.



Thanks and Regards

V Vinodh.

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

Vinodh,

Hello again after direct chat.  It is good that questions posted here so other SMEs can respond and responses are archived for future reference!

As noted, Machine Access Restrictions (MAR) has a number of caveats.  The basis of MAR is that a machine auth must first occur and the MAC address, not hostname or other credential, is cached in a specific PSN.  If MAR enabled and policy is based on user and "if machine-authenticated", then subsequent user auth will perform a lookup into MAR cache on local PSN and determine if MAC address (as learned from Calling Station ID) is present.

When both auth events occur from same connection and to same PSN, which is often the case for initial bootup, then life is wonderful and MAR works as expected.  However, there are cases where MAR can be problematic, including:

  • MAR Cache times out and user reauth fails since no longer a corresponding MAC in MAR cache, thus requiring reboot or user logoff to re-trigger machine auth.
  • Load Balancer is not configured for MAC address persistence, or the persistence/sticky cache expires before next user auth, thus resulting in user auth occurring against a different PSN which has no MAR cache entry from previous machine auth.
  • Without logging off or shutting down, user moves from one NAD or location to another, again resulting in the user auth hitting a different PSN or LB VIP.
  • Machine and user authenticate on wired (or wireless) and then moves to wireless (or wired) without rebooting computer or logging off user account.
  • PSN where MAR cache exists is cleared out after a PSN restart.

As you can see, many of the cases where MAR can fail include case where PC goes into hibernation/sleep mode and when it returns, it may hit a different PSN, or it connects with a different MAC, or cache on PSN has times out.  Increasing the MAR cache timer may help address specific cases resulting from cache time out, but that is only attempts to address the first bullet above and as noted, becomes a potential security exposure.

As noted in email, two features will help case where PSN restarts or if move between PSNs:

1) ISE 2.2 adds support to persist MAR cache between restarts.

2) ISE 2.3 adds support to synchronize MAR cache between PSNs in same node group (not globally if multiple clusters).

You mentioned that Machine Auth automatically occurs after return from sleep/hibernate, or that user auth automatically occurs if machine+user.  I don't think that is the case and machine auth only occurs after user logoff or restart or connection termination (such as plug and unplug wired connection, or disconnect and reconnect to SSID).  I suspect you are seeing a reauth event due to session timeout and when switch requests identity, it is either sending machine or user based on client config.  In either case, the most problematic case is where MAR enabled and one of the above conditions occurs after device exists sleep/hibernate.

If goal is to authenticate machine once and not have to repeat that step after a long interval, then I would recommend using device registration to allow MAC address to be registered and optionally purged at some interval--whether week, month, quarter as that can be persisted globally and device is associated to the user (portal_user attribute).  You can also customize registration to a specific Endpoint Identity Group.

If goal is to truly authenticate machine + user via 1X credentials for both in each connection, then recommendation would be AC NAM for supported Windows clients, but ultimately TEAP is the preferred route and that still has not been adopted by major players like Microsoft / Apple.

HTH,

Craig

View solution in original post

6 Replies 6

Craig Hyps
Level 10
Level 10

Vinodh,

Hello again after direct chat.  It is good that questions posted here so other SMEs can respond and responses are archived for future reference!

As noted, Machine Access Restrictions (MAR) has a number of caveats.  The basis of MAR is that a machine auth must first occur and the MAC address, not hostname or other credential, is cached in a specific PSN.  If MAR enabled and policy is based on user and "if machine-authenticated", then subsequent user auth will perform a lookup into MAR cache on local PSN and determine if MAC address (as learned from Calling Station ID) is present.

When both auth events occur from same connection and to same PSN, which is often the case for initial bootup, then life is wonderful and MAR works as expected.  However, there are cases where MAR can be problematic, including:

  • MAR Cache times out and user reauth fails since no longer a corresponding MAC in MAR cache, thus requiring reboot or user logoff to re-trigger machine auth.
  • Load Balancer is not configured for MAC address persistence, or the persistence/sticky cache expires before next user auth, thus resulting in user auth occurring against a different PSN which has no MAR cache entry from previous machine auth.
  • Without logging off or shutting down, user moves from one NAD or location to another, again resulting in the user auth hitting a different PSN or LB VIP.
  • Machine and user authenticate on wired (or wireless) and then moves to wireless (or wired) without rebooting computer or logging off user account.
  • PSN where MAR cache exists is cleared out after a PSN restart.

As you can see, many of the cases where MAR can fail include case where PC goes into hibernation/sleep mode and when it returns, it may hit a different PSN, or it connects with a different MAC, or cache on PSN has times out.  Increasing the MAR cache timer may help address specific cases resulting from cache time out, but that is only attempts to address the first bullet above and as noted, becomes a potential security exposure.

As noted in email, two features will help case where PSN restarts or if move between PSNs:

1) ISE 2.2 adds support to persist MAR cache between restarts.

2) ISE 2.3 adds support to synchronize MAR cache between PSNs in same node group (not globally if multiple clusters).

You mentioned that Machine Auth automatically occurs after return from sleep/hibernate, or that user auth automatically occurs if machine+user.  I don't think that is the case and machine auth only occurs after user logoff or restart or connection termination (such as plug and unplug wired connection, or disconnect and reconnect to SSID).  I suspect you are seeing a reauth event due to session timeout and when switch requests identity, it is either sending machine or user based on client config.  In either case, the most problematic case is where MAR enabled and one of the above conditions occurs after device exists sleep/hibernate.

If goal is to authenticate machine once and not have to repeat that step after a long interval, then I would recommend using device registration to allow MAC address to be registered and optionally purged at some interval--whether week, month, quarter as that can be persisted globally and device is associated to the user (portal_user attribute).  You can also customize registration to a specific Endpoint Identity Group.

If goal is to truly authenticate machine + user via 1X credentials for both in each connection, then recommendation would be AC NAM for supported Windows clients, but ultimately TEAP is the preferred route and that still has not been adopted by major players like Microsoft / Apple.

HTH,

Craig

Thanks a lot, Craig for the detailed response. It was really helpful.

One more point I need to clarify here:

In a corporate machine, Windows Native supplicant is set to "User or Machine Authentication". Now the endpoint goes for sleep/hibernate. If the user disconnects that corporate machine and connects a Non-corporate machine within the MAR cache aging time, enters his corporate username/password, will he be able to get through the authorisation? Even though I have AuthZ policy configured as "user EQUALS ad/DomainUsers | AND | wasMachineAuthenticatedStatus EQUALS True".

That's another risk in MAR, right?

Thanks and Regards

V Vinodh.

Why would that be a concern? MAR is because of mac address, the other machine has a different one and will fail that policy

Thanks Jason, for responding. I missed to mention in case if the user has a Non-corporate machine with same MAC (spoofed), same Hostname and may be even the same static IP configured, then will that make a security loop hole.

Regards

V Vinodh.

BINGO!  MAC caching is not authentication!   Just as MAB-based auth for registered devices is not a true authentication of device identity.   For this you would need to look at EAP Chaining and TEAP (assuming vendors adopt the open standard).

That said, the use of MAR or other chained methods does provide a tighter security than NOT doing it and are often sufficient to address abuse cases (employees trying to circumvent policy), or minor hack attempts, but not more sophisticated attacks.  Even with MAR, some comfort can be found in the fact that deliberate attackers would still need to know user credentials in addition to knowing the MAC to spoof.   We do have basic MAC spoofing detections in ISE, but that is another topic.

Craig

MAC spoofing is a terrible vulnerability if you use MAR cache. A user can connect his own notebook with replicated mac address and make it join to network with his/her credentials. We experienced that. Don't trust to user certificates. Some users can find a way to export it to their own machines.
What we had to do here is, using computer authentication only, with native supplicant and disabled the MAR cache feature.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: