cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
24214
Views
40
Helpful
12
Replies

Machine +User Auth for windows endpoint autheticating through ISE

paragmahajan40
Level 1
Level 1

Hi

Is there any way to use machine + user auth at same time when authenticating Windows machine through ISE.  In Windows native supplicant there is option as

1) Machine OR user Auth

2) User Authentication

3) Machine Authentication

4) Guest authentication

I want to give more priveledge access to endpoints where they are joined to AD domain AND the user is logged in using AD credentials.

Is there any way to achieve this functionality ...

1 Accepted Solution

Accepted Solutions

neeleshus
Level 1
Level 1

There is one way to achieve Machine+User authentication through ISE.

Prerequisites:  For windows 7 machine, please select “User or computer Authentication “ in authentication method ( Not applicable to Windows Xp)

You need to create two rules in Authorization policy as below

1st Rule  :      

iselabin.local:ExternalGroups==Domain  Computers

With the 1st rule , machine will get authorized access when machine boots up ( Before user enters his credentials)

2nd Rule:

Network Access:WasMachineAuthenticated ==True 

                             AND

iselabin.local:ExternalGroups==Domain Users

User will enter credentials and he will get authorized access because of  2nd Rule.Please find attached screenshot

I hope it answers your query

Neelesh Marathe

SecurView Systems

View solution in original post

12 Replies 12

Tarik Admani
VIP Alumni
VIP Alumni

With windows you do not have the option, however with ISE 1.1.1 and the latest cisco anyconnect nam supplicant (which is free) has a feature called eap chaining, it uses eap-fast to send the authentication sequence just as you want.

Here is the reference:

ISE release notes

http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp307279

Anyconnect release notes

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp998871

Configuration of anyconnect -

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1065210

Tarik Admani
*Please rate helpful posts*

neeleshus
Level 1
Level 1

There is one way to achieve Machine+User authentication through ISE.

Prerequisites:  For windows 7 machine, please select “User or computer Authentication “ in authentication method ( Not applicable to Windows Xp)

You need to create two rules in Authorization policy as below

1st Rule  :      

iselabin.local:ExternalGroups==Domain  Computers

With the 1st rule , machine will get authorized access when machine boots up ( Before user enters his credentials)

2nd Rule:

Network Access:WasMachineAuthenticated ==True 

                             AND

iselabin.local:ExternalGroups==Domain Users

User will enter credentials and he will get authorized access because of  2nd Rule.Please find attached screenshot

I hope it answers your query

Neelesh Marathe

SecurView Systems

Thanks Neelesh. That is very helpful.

I have tested solution what Neelesh has suggested.  I just want to confirm it is not related to MAR (Machine Access Restriction ).. I have enabled/disbaled MAR from ISE from external Identity source - AD -  advance setting. but it seems that MAR does not play any role for above authorization policies...

Any thoughts on this...

Hi,

There is a new feature in ise 1.1.1 and cisco anyconnect network access manager called eap chaining. What this does it allows you send both the machine and user authentication request in a single eap transaction. There is a new attribute called eapchaining and I am sure that will provide the results you are after. However, there is a bug that is open that will place you in a posturing loop, but if you are just performing authentication at the moment please take a look at this feature:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp307279

Tarik Admani
*Please rate helpful posts*

Hi Paraq,

How did you achieve this (AD domain AND the user is logged in using AD credentials) as I have same requirement. Could you please share your experience with me.

My requirement is, I am xyz company employee having company laptop as well as my personal laptop. Both need to be authenticated through AD credentials but should go to different authorization profiles (company asset & non company asset). How to achieve this. Please help

Awaiting for your positive & prompt response.

Thanks

Hi,

as Tarik mentioned. With help of EAP-Chaining you can do this. There is a policy condition for this - EAP-Chaining machine succeeded, user suceeded which can match company assets and aditional rule can be machine failed, user succeeded which can go to different VLAN, ACL ....

K.

Hi,

For sure your procedure is working but there is a problem on it.

I have tested it.

During bootup,  let us says the Endpoint authenticates successfully (maybe through AD) and got temporary access.

After user credentials u got full access.

 

When u are trying to a RDP with a local account which is allowed because it is a non domain user, you connect to local machine and you got Endpoint credentials because on RDP endpoint authentication information are sent to the ISE not USER.

 

How to resolve that issue ? It is a serious problem !!!

Matt

Neelesh,

 

What will happen when user switches from Wired connection to Wireless connection, will ISE keep track of Machine authentication which happened over wired connection or does user need to log out and log back in every time they switch between wired and wireless connection?

 

Traditionally the answer to this is no. ISE treats every Mac address as a unique endpoint. This is still the case if you are using native supplicants.

The exception and why I said traditionally above is because as on ise 2.6 and any conne t 4.7 there is a concept of a UDI. The UDID remains the same for an endpoint regardless of Mac address.



Identify Managed Devices with Dynamic MAC Addresses
AnyConnect 4.7 now provides a Unique Device ID (UDID) to identify a connected user. The UDID value can be mapped with information from Mobile Device Management (MDM) providers to help identify users who have the same MAC address. MAC address sharing is common in open offices, where more than one person shares a dock or USB dongle.

Business Outcome
You can develop a solution that uses the UDID to uniquely identify a user, when device connections are shared.

Hello Sir,

 

I would like to confirm if the prerequisite is only windows 7 or it works with windows 10 machine also

peter.matuska1
Level 1
Level 1

Does the Windows native supplicant support EAP-TEAP? or will it be supported in a near future?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: