×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Machine +User Auth for windows endpoint autheticating through ISE

Answered Question
Aug 20th, 2012
User Badges:

Hi

Is there any way to use machine + user auth at same time when authenticating Windows machine through ISE.  In Windows native supplicant there is option as

1) Machine OR user Auth

2) User Authentication

3) Machine Authentication

4) Guest authentication


I want to give more priveledge access to endpoints where they are joined to AD domain AND the user is logged in using AD credentials.

Is there any way to achieve this functionality ...

Correct Answer by neeleshus about 4 years 12 months ago

There is one way to achieve Machine+User authentication through ISE.


Prerequisites:  For windows 7 machine, please select “User or computer Authentication “ in authentication method ( Not applicable to Windows Xp)


You need to create two rules in Authorization policy as below


1st Rule  :      


iselabin.local:ExternalGroups==Domain  Computers


With the 1st rule , machine will get authorized access when machine boots up ( Before user enters his credentials)



2nd Rule:


Network Access:WasMachineAuthenticated ==True 

                             AND

iselabin.local:ExternalGroups==Domain Users


User will enter credentials and he will get authorized access because of  2nd Rule.Please find attached screenshot


I hope it answers your query




Neelesh Marathe

SecurView Systems

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Tarik Admani Tue, 08/21/2012 - 15:33
User Badges:
  • Green, 3000 points or more

With windows you do not have the option, however with ISE 1.1.1 and the latest cisco anyconnect nam supplicant (which is free) has a feature called eap chaining, it uses eap-fast to send the authentication sequence just as you want.


Here is the reference:


ISE release notes

http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp307279


Anyconnect release notes

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp998871


Configuration of anyconnect -

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1065210



Tarik Admani
*Please rate helpful posts*

Correct Answer
neeleshus Thu, 08/23/2012 - 00:15
User Badges:

There is one way to achieve Machine+User authentication through ISE.


Prerequisites:  For windows 7 machine, please select “User or computer Authentication “ in authentication method ( Not applicable to Windows Xp)


You need to create two rules in Authorization policy as below


1st Rule  :      


iselabin.local:ExternalGroups==Domain  Computers


With the 1st rule , machine will get authorized access when machine boots up ( Before user enters his credentials)



2nd Rule:


Network Access:WasMachineAuthenticated ==True 

                             AND

iselabin.local:ExternalGroups==Domain Users


User will enter credentials and he will get authorized access because of  2nd Rule.Please find attached screenshot


I hope it answers your query




Neelesh Marathe

SecurView Systems

paragmahajan40 Wed, 09/05/2012 - 03:41
User Badges:

I have tested solution what Neelesh has suggested.  I just want to confirm it is not related to MAR (Machine Access Restriction ).. I have enabled/disbaled MAR from ISE from external Identity source - AD -  advance setting. but it seems that MAR does not play any role for above authorization policies...


Any thoughts on this...

Tarik Admani Wed, 09/05/2012 - 08:23
User Badges:
  • Green, 3000 points or more

Hi,


There is a new feature in ise 1.1.1 and cisco anyconnect network access manager called eap chaining. What this does it allows you send both the machine and user authentication request in a single eap transaction. There is a new attribute called eapchaining and I am sure that will provide the results you are after. However, there is a bug that is open that will place you in a posturing loop, but if you are just performing authentication at the moment please take a look at this feature:


http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp307279



Tarik Admani
*Please rate helpful posts*

Tabish Mirza Sat, 11/10/2012 - 12:33
User Badges:

Hi Paraq,


How did you achieve this (AD domain AND the user is logged in using AD credentials) as I have same requirement. Could you please share your experience with me.


My requirement is, I am xyz company employee having company laptop as well as my personal laptop. Both need to be authenticated through AD credentials but should go to different authorization profiles (company asset & non company asset). How to achieve this. Please help


Awaiting for your positive & prompt response.


Thanks

Karel Navratil Mon, 11/12/2012 - 15:02
User Badges:

Hi,


as Tarik mentioned. With help of EAP-Chaining you can do this. There is a policy condition for this - EAP-Chaining machine succeeded, user suceeded which can match company assets and aditional rule can be machine failed, user succeeded which can go to different VLAN, ACL ....


K.

Actions

This Discussion

Related Content