User Authentication ms Machine Authentication vs both

Answered Question
Jan 28th, 2011

I would like to start up a discussion about Wireless authentication to  Active Directory via PEAP.  What are the benefits of using User  Authentication vs Machine Authentication vs using both?

I have this problem too.
0 votes
Correct Answer by George Stefanick about 2 years 7 months ago

Have you looked at the new Cisco ISE? This will allow you to have one SSID and segment users while also providing certificate managment at some level.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
George Stefanick Fri, 01/28/2011 - 17:31

The big seller for Machine Authentication is your machine (pc) gets authenticated to the network at start up. Meaning it gets on the network so that your users can then logon with their credentials. This is normally doen with GINA or a supplicant.

jlhainy Sat, 01/29/2011 - 11:08

Yeah, I get that.  What about using them both together.  So lets say that the macine authenticates so that it can download any machine policies from AD and then the user logs in and it re authenticates to the wireless.  Is there any value it that, or is it over complicating things.  Here are the scenerios.

1) We don't want users being able to use personal devices, so using user authentication is out.

2) we have some company devices that can't join a domain, like ipads, so user authentication is in...

I realize that I could create 2 seperate SSIDs for these situations... So maybe do one with machine authentication for the company AD devices and then user authenication for the non AD devices?

then there is the issue if the device is stolen, then what do we do?  They don't want a stolen device to be able to attach to the wireless network.  that is why I ask the question of using both user and machine authenication... but now that I think about it, we could just kill the stolen device out of AD or something and that should take care of it.

Besides, on Windows 7, there is an option to use User or machine authentication.  As I watch my radius logs, it looks like it does machine auth first and then reauthenticates using the user name.  Tying to determine if that has any benefit or not.

Scott Fella Sun, 01/30/2011 - 05:55

Well since you have both domain computers and no domain devices, then you are on the right track.  You shoul have two ssid's if you ask me, so that you can map the ssid for non-domain devices to a vlan you can filter better.  As for Windows 7 using User or Computer.... that means both.  You will need to have a user and computer certificate in order to choose this setting.  With certificates for user and computers, you can always revoke the certificate and remove the user from AD or the OU.  Even if you have User and Computer and the device gets stolen, well.... until you remove the computer or user, that device will be able to get on the network.  So it will be how fast the user tells you he or she has lost their laptop and how long it takes for them to remove the user or computer from AD.  WIndows 7 along with Vista does have a setting to allow the computer to access the network before the login prompt is presented to the user.

jlhainy Mon, 01/31/2011 - 06:47

So really then, there isn't a whole lot of benefit of trying to force both user and machine authentication on the same SSID.  Is that right?  I would also think that if you allowed the machine have access by group, if its stolen, then you could just remove it from the group.  Plus, the thief would still need an AD acct which they may or may not have, depending on who it is.  But if its stolen and there is not a local profile on the machine and the machine is not on our network, they still wouldn't get on.  The danger is really only if the thief is an employee that may also have credentials or has stolen credentials.

Like I say, I just may be overly paranoid, but my security hat tends to get me to think that way.  The main point is to keep peple from bring their own personal devices in and attaching.  I think I have mitigated that.  I am just trying to think of any other scenerios while I am thinking about it.

Thanks for the feedback!

jlhainy Mon, 01/31/2011 - 06:50

Also, how does MAR play into all of this.  (Machine Access Restriction)?

nickjacobs Mon, 01/31/2011 - 16:04

Machine Auth means the computer can get on the network before a user logs on - this means people that don't have locally cached profiles can log onto tthe machine as it is on the network and domain. It also means that login scripts etc can run during logon. On XP at the wireless re-auth period it will switch to user cert (depending on what registry for computer is of course) - windows 7 it reauths as user straight away at logon. User cert only will mean that the machine will not be on the network or domain at logon prompt restricting the use to cached users.

Way I see it are two sensible options are only use machine auth for network access (wireless or DOT1X on wired) and then user credentials against AD for services access - or use both machine and user as described above. I wouldn't just have user certs as its too restrictive - but depends what you want to see in your logs...

jlhainy Tue, 02/01/2011 - 06:34

Nick,

I understand the difference between the two, what I am trying to understand is the benefit of using both together and if there are any issues with doing that, such as overhead.

Vinay Sharma Sat, 09/03/2011 - 05:45

Hello Jared,

Please mark the Question as Answered, if the provided information is correct and it helped. By doing that others can take benefit as well.

Thanks,

Vinay Sharma

Community Manager – Wireless

jlhainy Thu, 09/08/2011 - 06:36

Hi Vinay,

You need a button for "helpful answer"  Scott's answer was helpful, but not entirely what I was looking for.

Correct Answer
George Stefanick Thu, 09/08/2011 - 08:35

Have you looked at the new Cisco ISE? This will allow you to have one SSID and segment users while also providing certificate managment at some level.

jlhainy Fri, 09/09/2011 - 20:47

I was introduced to it at CiscoLive.  It is definately something I am going to look into further.  The main question regarding ISE is how mature is it as a product.  Its obviously new and I know its supoosed to be some kind of combo of NAC and ACS. 

2nd question is, can I afford it.

George Stefanick Sat, 09/10/2011 - 06:09

I hear ya my friend...

You can also get creative with dyamic vlans with a WLC and radius server. This can be an optoin at some level that might help you ...

Actions

Login or Register to take actions

This Discussion

Posted January 28, 2011 at 5:07 PM
Stats:
Replies:12 Avg. Rating:5
Views:1572 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard