Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Cisco Employee

Cisco AnyConnect NAM User vs. Machine Auth

Hello Everyone,

I am trying to understand the difference between User and Machine Authentication. The real question is what gets sent when I use machine Auth? Is it the hosts Mac address, or host name when I first plug in to a 802.1x enabled port? I want to understand the process it takes, and the use cases.

For user Auth I also want to understand the process as well on what information is passed when plugged into a 802.1x enabled port.

Thanks,

Rafael

1 ACCEPTED SOLUTION

Accepted Solutions

Cisco AnyConnect NAM User vs. Machine Auth

The fqdn is sent in the format of host/machinename.yourdomain.com I have not worked with freeradius to know if there is a machine access restriction feature. Cisco ACS also uses tacacs which isnt available in freeradius so there is much more to ACS then just radius.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
5 REPLIES

Cisco AnyConnect NAM User vs. Machine Auth

Hi,

Machine authentication is when the computer itself authenticates, that can be done via peap or eap-tls (if certificates are deployed) the peap credentials are exchanged by the computer and the domain controller (kdc). So machine credentials get sent (username is the name of your computer hence that is one reason computer accounts have to be unique).

User authentication is the domain account that you use to login into the device.

The use case with machine authentication is to make things more simple, so that users do not have enter their credentials, or too add security when you combine machine authentication with user authentication. Cisco ACS and ISE have a feature called machine access restrictions which can restrict user authentications through a machine that has succeeded machine authentication (this prevents apple devices, and other devices from getting access to the network).

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Cisco Employee

Re: Cisco AnyConnect NAM User vs. Machine Auth

Thanks for the reply. So with machine Auth the host name is sent or the full fqdn? No user password input is require for what you telling me right? Also is this feature more of a ACS feature or can it be used with plain radius like freeradius?

Sent from Cisco Technical Support iPhone App

Cisco AnyConnect NAM User vs. Machine Auth

The fqdn is sent in the format of host/machinename.yourdomain.com I have not worked with freeradius to know if there is a machine access restriction feature. Cisco ACS also uses tacacs which isnt available in freeradius so there is much more to ACS then just radius.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

Re: Cisco AnyConnect NAM User vs. Machine Auth

I'm hurt Don Rafael. You could have just called/emailed me. Hahahaha

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Cisco Employee

Re: Cisco AnyConnect NAM User vs. Machine Auth

: )

Sent from Cisco Technical Support iPhone App

404
Views
0
Helpful
5
Replies
CreatePlease login to create content