cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13435
Views
10
Helpful
8
Replies

ISE EAP-Chaining with machine, certificate and domain credentials

Good morning,

A customer wants to do the following for their corporate wireless users (all clients will be customer assets):

Corp. wireless to authenticate with 2-factor authentication:

  • •1. Certificate
  • •2. Machine auth thru AD
  • •3. Domain creds

When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.

Clients are Windows laptops and corporate iPhones.

Certs can be issued thru GPO and MDM for iPhones

Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread: https://supportforums.cisco.com/thread/2185627

My first question is: can this be done?

Second question: how would i implement this from an AuthC/AuthZ perspective?

Thanks in advance,

Andrew

8 Replies 8

rodrigo.cisco
Level 4
Level 4

You can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...

For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines (http://support.microsoft.com/kb/2743127/en-us). The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.

Good luck and keep in touch.

Hi Rodrigo,

how did you solve problem where windows 7 is sending user "anonymous" on login? I have exactly the same problem, my ISE shows that credentials are actually anonymous!

Thanks

blenka
Level 3
Level 3

Kindly go through the link may help you.

http://www2.uni-frankfurt.de/47587107/anyconnect31rn.pdf

Thank you for the replies.

Going back to the customer, and they don't want to load any extra clients on their machines, so I have to work within the restrictions of the WIndows native supplicant.

Given that limitation, how can I authenticate/authorize against: machine auth in AD, user creds in AD, and a client cert (EAP-TLS).  The result should be: if the client passes all 3, then they are allowed on the network.

thanks in advance

dal
Level 3
Level 3

Hi.

With Windows laptops, this shouldn't be a problem.

As I see it, 1 and 2 are the same thing; Machine Auth uses the machine certificate to authenticate. And to link the computer certificate against the proper computer in AD, you can go in to Administration -> External Identity Sources ->

Certificate Authentication Profile -> and check the box that says:

Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory. Then you must make a rule that matches something in your AD or in your certificate.

And to link the User against the Computer, you can add a rule that contains this:

Network Access:WasMachineAuthenticated Equals True.

Not sure how this will play out on mobile devices, though.

Hello,

I know that this is a old thread but I'm dealing with an issue that a thought that you can help solving out.

I've deployed ISE 2.0 and I've create a policy to match the machine and user certificate but for some reason the computer certificate is being validated and the user certificate not.

and I'm receiving the following error:

Failure Reason

22056 Subject not found in the applicable identity store(s)

Resolution

Check whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped due to identity resoultion settings or if they do not support the current authentication protocol.

Root cause

Subject not found in the applicable identity store(s).

 

My client machine is Windows 7(with anyconnect installed) and I've an internal root CA.

Regards,

AM 

I don't see how this would work with windows devices.  The native supplicant only authenticates with either the user or the machine.

Also, how would you setup the native supplicant to perform certificate based authentication for the machine and user based authentication for the user?  As far as I know you can't do PEAP-MSCHAPv2 & EAP-TLS at the same time with the native windows supplicant.

@Let's your GPO to push down Machine Cert ( if this is windows env: )

 

@ISE,

1) Create Certificate Profile & add at Identity Source Sequence

2) Apply Identity Source at Authentication Policy

3) You need 2 rules at Authorization Policy

3.1 - 1st : get Machine authorized first.

3.2 - 2nd: WasMachineAuthenticated EQUALS True & get user authorized.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: