Solved: Cisco ISE authorization

elemzy · ‎03-23-2015

Hi

I want to find out if its possible on ISE dot1x implementation to authenticate domain machines using EAP-TLS (certificate) and after successful authentication, authorize the user using AD domain users. I cant seem to get this to work, the ISE just skips the authorization policy which I created to reference AD.

It seems you can only authenticate and authorize with the same parameter which i was able to achieve using MSCHAP-V2.

My aim is to authenticate the connecting PC using internal CA and further authorize the users using AD membership.

Thanks

Justin bollinger · ‎03-27-2015

Although EAP Fast and the EAP chaining are not proprietary to Cisco, AnyConnect is the only supplicant that I am aware of that currently supports the feature.

The only other option that I tell you is using machine access restrictions MAR, but I would highly recommend against this unless the customer is aware of the caveats associated with MAR. With MAR the supplicant is configured to use "user or computer" When the user is logged off the device authenticates using the computer's account. When the user logs in the supplicant starts the authentication process over using the user credentials. With MAR ISE first verifies that the machine authenticated before the user. If not then the user is not authorized to connect. The issue is that if the device goes into hibernation instead of logging off the user may fail to authenticate because ISE doesnt see the computer auth.

EAP chaining is the answer to MAR's shortfalls. This is because the computer and the user authenticate together everytime.

If their goal is to ensure that the device is a corporate owned device then you can always consider posture as a means to ensure that. You can have a registry entry, or file on the computer that signifies that the device is a corporate owned device. You would still need to install the posture agent and this would change the licensing requirements where as eap chaining is included in the base licensing and doesn't require plus or apex.

The other outside of the box idea that i have seen is to use GPO to change the LAN NIC's name

to something like "Corporate LAN" and then using profiling you can create a custom profile that matches. See pages 91-114 there are several options listed including the ones I've already mentioned.

http://d2zmdbbm9feqrf.cloudfront.net/2015/anz/pdf/BRKSEC-3697.pdf

View solution in original post

Justin bollinger · ‎03-23-2015

This can be accomplished using EAP-Chaining and AnyConnect.

It may not specify it in the document but you can use different inner methods for the Machine and User authentication.

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-80-EAPChaining_Deployment.pdf

elemzy · ‎03-27-2015

Hi Justin,

Thanks for the response. Ive been reading about EAP chaining but my challenge is that customer doesnt want to deploy anyconnect supplicant.

Can you categorically state if this can be achieved with windows 7/8 native supplicant?

If yes, do you have an idea of the NIC setting?

Thanks

Justin bollinger · ‎03-27-2015

Although EAP Fast and the EAP chaining are not proprietary to Cisco, AnyConnect is the only supplicant that I am aware of that currently supports the feature.

The only other option that I tell you is using machine access restrictions MAR, but I would highly recommend against this unless the customer is aware of the caveats associated with MAR. With MAR the supplicant is configured to use "user or computer" When the user is logged off the device authenticates using the computer's account. When the user logs in the supplicant starts the authentication process over using the user credentials. With MAR ISE first verifies that the machine authenticated before the user. If not then the user is not authorized to connect. The issue is that if the device goes into hibernation instead of logging off the user may fail to authenticate because ISE doesnt see the computer auth.

EAP chaining is the answer to MAR's shortfalls. This is because the computer and the user authenticate together everytime.

If their goal is to ensure that the device is a corporate owned device then you can always consider posture as a means to ensure that. You can have a registry entry, or file on the computer that signifies that the device is a corporate owned device. You would still need to install the posture agent and this would change the licensing requirements where as eap chaining is included in the base licensing and doesn't require plus or apex.

The other outside of the box idea that i have seen is to use GPO to change the LAN NIC's name

to something like "Corporate LAN" and then using profiling you can create a custom profile that matches. See pages 91-114 there are several options listed including the ones I've already mentioned.

http://d2zmdbbm9feqrf.cloudfront.net/2015/anz/pdf/BRKSEC-3697.pdf

elemzy · ‎03-27-2015

Thanks again Justin for taking time to explain. I have stumbled on and implemented the MAR but I wasnt aware of the caveat. Ill try and observe the effect in a lab and also check if i can disable hibernation with a gpo. I guess the anyconnect is the longtime solution but ill roll out with the MAR for now. The only challenge for me is that, there is no report under ISE reporting tool that actually shows the authenticated machine info. the other options is a no go although i have a plus license. thanks once again