View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0046 - ISE 1.1 Wireless 802.1X and Machine Authentication with EAP-TLS

Rating: 
5
Average: 5 (4 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Video Download: 

The video walks you through configuration of wireless 802.1X using EAP-TLS on Cisco ISE. We will look how to configure authentication and authorization policies to support both user and machine authentication, how to restrict network access with DACL, and how to use Machine Access Restriction (MAR) to correlate user and machine sessions to ensure a user can access the network only from a domain (corporate) computer. We will perform testing from both domain, non-domain computers, and iPhone, and observe the authentication results.

Topic:
  • Certificate Profile (Common Name)
  • Identity Source Sequence 
  • User and Machine Authentication with EAP-TLS
  • Policy Element Condition
    • Authorization (Compound Condition)
  • Policy Element Result
    • Authentication (Allowed Protocol)
    • Authorization (Authorization Profile)
  • Authentication Policy
  • Authorization Policy
Note:
  • EAP-TLS is a certificate-based authentication. 
  • With EAP-TLS, client certificate is required, and the server root certificate needs to be trusted or the certificate validation needs to be exempted on the client supplicant
  • User and machine certificates should not allow to be exported, otherwise the security will be circumvented
  • Machine authentication only happens at the Windows login
  • Account log-off or machine reboot may be required to force machine authentication
  • Wireless LAN Controller uses name ACL instead of Downloadable ACL

 

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

30 comments

I've figured an alternative to check for WasMachineAuthenticated and still use certificates.

For corporate devices (using GPO), modify authentication to use a PEAP tunnel (PEAP outer, EAP-TLS inner). For BYOD corporate users, simply use EAP-TLS.

This way we can identify the authentication flow.

So my authz policies look like this:

LAB-WIRED-MACHINE # PEAP Tunnel (see below)
LAB-WIRED-BLACKLIST
LAB-WIRED-USER # corporate user, PEAP Tunnel (see below)
...
LAB-WIRED-BYOD # corporate user with personal device, uses EAP-TLS (see below).

The authz compound condition for LAB-WIRED-MACHINE is this:

Radius:Service-Type EQUALS Framed AND
Radius:NAS-Port-Type EQUALS Ethernet AND
AD1:ExternalGroups EQUALS lab2.domain.co.uk/Users/Domain Computers AND
Network Access:EapTunnel EQUALS PEAP AND
Network Access:EapAuthentication EQUALS EAP-TLS

The authz compound condition for LAB-WIRED-USER is this:

Radius:Service-Type EQUALS Framed AND
Radius:NAS-Port-Type EQUALS Ethernet AND
AD1:ExternalGroups EQUALS lab2.domain.co.uk/Users/Domain Users AND
Network Access:WasMachineAuthenticated EQUALS True AND
Network Access:EapTunnel EQUALS PEAP AND
Network Access:EapAuthentication EQUALS EAP-TLS

The authz compound condition for LAB-WIRED-BYODis this:

AD1:ExternalGroups EQUALS lab2.domain.co.uk/LAB2/BYOD Users AND
DEVICE:Device Type EQUALS All Device Types#Switch AND
Network Access:EapAuthentication EQUALS EAP-TLS

On corporate machines, logging shows machine prior auth using PEAP(EAP-TLS)

Authentication Protocol : PEAP(EAP-TLS)
...
24422 ISE has confirmed previous successful machine authentication for user in Active Directory

And on BYOD machines, logging shows it falls through to LAB-WIRED-BYOD and can be given a different DACL or results, etc.

Authorization Policy Matched Rule: LAB-WIRED-BYOD

Hi,
It is not enough to say your work is great .. I believe it is better than the LAB scenario given by Cisco in their official training Course.That one was little messy.

I have a comment on the workaround solution mentioned above ..

1- does the same apply for LAB-WIRELESS-USER ?
2- I did not get why adding PEAP in the Authorization condition resolve the issue ((PEAP outer, EAP-TLS inner) ...if there is any explanation ,I appreciate if you can share it :)

Thanks

This issue only relates to 'wasmachineauthenticated' condition where it fails to check previous machine auth when you enable MAR so it applies to both machine and user auth since you can only have one type of authentication when using Windows Native supplicant. This seems to be a bug with MAR when using EAP-TLS while PEAP works just fine, although it might be fixed in ISE 1.2. 
Thank you for your feedback. We are glad you fine our contents useful.

How did you configure the Windows supplicant to do both user and machine authentication using EAP-TLS? As far as I can tell, it can only do one or the other, not both. Appreciate your help! BTW, your videos are great! They are my ultimate references for ISE.

Thanks,
Tao

When you configure the wireless profile, there are options for User authentication, Computer Authentication, and both. You need to select User or Computer Authentication.

It sounds silly, but my windows 7 PC has only option for "User or computer", "User", "Computer" and "Guest" authentication under 8021.x Settings/Specify authentication mode. Are you using the windows native supplicant? I know AnyConnect NAM has the option of Both.

Thanks,
Tao

It's the User or Computer.Please keep in mind Machine auth only happen at the Windows login screen in case you wonder why you don't see it after login.

Hi ,
I came into a situation where I need to match corporate users , in your video,corporate users can be matches using AD1:ExternalGroups EQUALS lab2.domain.co.uk/Users/Domain Users

In my case , I have multiple domains and there a trust between them , so my Domain users are not in one domain and one group (Domain Users) , therefore in order to match corporate users I need to do something like this :

Radius:Service-Type EQUALS Framed AND
Radius:NAS-Port-Type EQUALS 802.11 AND

AD1:ExternalGroups EQUALS domain1/Users/Domain Users OR
AD1:ExternalGroups EQUALS domain2/Users/Domain Users OR
AD1:ExternalGroups EQUALS domain3/Users/Domain Users OR

DEVICE:Device Type EQUALS All Device Types#WLC AND
Network Access:EapAuthentication EQUALS EAP-TLS

is that possible ? or I have to create condition for each domain/group and then in the authorization policy I configure the condition with OR .

would you please help..

I don't recall that ISE allows you to mix both AND and OR within the same rule so most likely you will need to create individual rule for each domain. Another thought, if at all possible, is to try to create an AD group with all other domain groups as members and use that on ISE instead.

Thanks a lot , I think it is much easier to create an AD group with all other domain groups as members , since in the authorization condition we can reference an AD group containing other groups nested within.

Thanks for you help

Labminutes, you guys rock! The materials are AWESOME.
Got a question. What will be the authorization condition on the User side if PEAP and not TLS is being used assuming WasMAchineAuthenticated is set to True? In this scenario, Machine authentication is TLS.

Are you using Windows native supplicant? If so, I don't believe you can do different EAP type for machine and user authentication. It has to be either or. For the condition, look for either PEAP or EAP with MSCHAPv2 under EAPAuthenMethod or EapTunnel

Hi,
I am using Anyconnect. The Machine uses TLS and User uses PEAP (MS-CHAP) in the Anyconnect profile. Only certificate authentication is between the ISE and Machine. User has no Client certificate.

Since you are using AnyConnect client already, there isn't really any reason not to do EAP-Chaining. It is much cleaner and earier that way. Here is the video for it.
http://www.labminutes.com/sec0048_ise_1_1_user_machine_authentication_ea...

Thanks for getting back. I already have Eap-fast working via any connect but the client does not want to make profile changes across the enterprise. So no changes to anyconnect but have the user authentication dependent on if the machine was authenticated. This is the configuration on ACS and they want it migrated to ISE.
As mentioned, the machine authenticates ok using certificate in the TLS tunnel but PEAP authentication fails for the user because the WasMAchineAuthenticated attribute fails. So question is, what should the authorization conditions be configured to so ISE can work just like the ACS? Thanks for the help.

If you read some of the comments above, you can see that people have run into the same issue where MAR seems to break with machine auth using EAP-TLS. A workaround has been proposed to do EAP-TLS as inner method of PEAP. I don't think you need to do anything special with the condition as I am sure that if you remove the 'wasmachineauthenticated', the user would authentication just fine. 

i did configured the same rule on ISE for certificate based authentication and its not working as client makes a PEAP method rather thant EAP-TLS. WLAN is configured to use 802.1X and WEP, with PSNs as the AAA servers. How do I enforce the EAP-TLS on the client side? Am i missing something in the config?

Whether the client would use PEAP or EAP-TLS is a client-side configuration. If you are dealing with Windows client, please make sure you have the Smartcard selected instead of PEAP under the wireless profile. Also, you would want to use 802.1X with WPA/WPA2 instead of WEP.

my SSID is set to WPA2+.1x and when I change client to use smartcard or certificate, ISE tells me it fails with error: 22045: policy result is configured for password based authentication methods but received certificate based authentication request ".

Any suggestion?

It sounds like you need to crate a certificate profile and use it directly under the authentication policy or add it to a Identity Sequence that is being referenced in the authentication policy.

i am using a Certificate profile in a different identity source sequence which also contains my AD as identity store. Can you share your WLAN SSID config and how client Wireless is configured.

Thanks,

hi

how can i automatic download the anyconnect to the machine or how to nable native client ?

Could you elaborate on what you are trying to do? Are you trying to use AnyConnect NAM in place of Windows Native Supplicant?

yes i am speaking about AnyConnect NAM how we can install it on the machine if i don't have native client enable and the machine not join the domain ?

Ideally you would use your company software distribution system to pre-deploy AnyConnect client and NAM module to user machines. Without that, there isn't really a clean way to doit. There is a way to push AnyConnect client and its modules to users in ISE 1.3 as part of posture assessment client provisioning but you would first need find a way to allow user to authenticate without .1x, possibly through web login, to let them get to page where they can download the client.

hi

its a good start can you give me this steps

Hi,

Before I start, great videos. Top resource for learning, thanks for investing your time in producing these.

I have a query regarding 'User or Computer Authentication'. We operate a Windows 2012 forest made up of three domains. We issue both User and Computer certificates to domain joined computers and domain users.

I understand that when a Computer boots, the Computer certificate is used to authenticate the device and to allow policy, etc to kick in prior to user login. What I am struggling to understand is at what point the user certificate is used? After a machine boots the user, on a Windows X, device is prompted to enter their username and password (MS-CHAPv2), but when is the user certificate sent for authentication? Is it when the user enters their username and password? This part is not clear to me?

Thanks

Thank you for the feedback. User auth happens at Windows login as well as network reconnects after user already logged in. If you have .1x profile set to Smartcard (ie. EAP-TLS), Windows will use user certificate to authenticate. User should not be prompted for username/password assuming you have EAP-TLS enabled, since you can either do EAP-TLS or PEAP for both user and machine auth and not combination of with Windows native supplicant.

Hi,

Thanks for the response. Unfortunately this is still not clear to me.

What is still not clear is when the 'User Certificate' is used to authenticate. I've watched a couple of your videos and it appears that when the user enters their domain username and password that the user certificate is then used to get access to the network.

This is the part I am struggling with. With both 'User or Computer Authentication' enabled, is it the case that the 'Computer' certificate is used when the device is booting to get the computer access to the network for GPo updates, etc. Then the 'User' certificate is used when the user presses 'ctrl+alt+del' and then enters their domain username and password?

Yes.. You are correct. The fact that user logs into Windows with username/password has nothing to do with how the .1x is performed. .1x controlls what protocol to use to authenticate. In case of Smartcard, Computer cert is used at bootup prior to Windows login and User cert is used thereafter since the user is now known to the machine.