Question

802.1x user authentication and Machine authentication via certificate


Userlevel 1
Badge
Hi All

I have configured a wifi SSID to autenticate user via 802.1x user credential by LDAP Microsoft, using a NAC appliance, where I have configured the below rule, that match a specific LDAP user group, and a specific SSID.

I need to authenticate user & machine in the same time, user via LADP credential and machine via certificate.

Someone could help me?

12 replies

Userlevel 6
Badge
Hi Claudio,

If you want to do user + machine authentication, native MS Windows supplicant will not allow you to do this as for now (only user OR machine authentication). This thing what you want is sometimes referred as EAP Chaining. It is reachable with 3rd party supplicant software like https://github.com/Amebis/GEANTLink (but mentioned as experimental). I'm not sure but maybe SecureW2 also enables devices for that. Maybe there are some others, of course besides Cisco's proprietary supplicant. ;)

I'm also curious if somebody here has some field-proven supplicant software example for this.

Hope that helps,
Tomasz
Userlevel 6
Badge
I would be interested in a supplicant also, as I've have customers that want certificate authentication for machines (EAP-TLS) and straight user login (PEAP) when logging in - although that isn't necessary, and a lot more secure and standards based to use certificates for both - no need for a custom / propitiatory supplicant then.

Although you can't do both at the same time, think I'm right in saying you can use both machine and user authentication in the manner requested, you just basically authenticate twice.

When the laptop connects to the network it will initially do machine based authentication, then when logging in it will then do user authentication - this is how I've configured it in the past.

This is based on using certificate base EAP-TLS authentication in both cases, so the supplicant doesn't need to change between different methods i.e. you can just use the windows native supplicant.

In both cases you can use LDAP to validate the authorisation allowed. The advantage to also doing user certificate based authentication (simplicity, security, and standards based aside) is that you can elevate policy roles based on the user logged in, whereas machine authentication is just based on the machine.

You can configure the windows client to log on first to initially pull down the client certificate to end-system so its portable whenever you log into any end-system that doesn't already have a user certificate in its local repository.

Hope that helps?
Userlevel 1
Badge
Thanks a lot to All

@Tomasz 

Machine and User auth is definitely possible with Microsoft’s supplicant. No third party supplicant is necessary. By default, the Windows supplicant tries a Machine authentication at boot. Once the user logs in, then the User is authenticated. 

If Control can’t do it, that’s one thing, but it’s definitely possible with other solutions. For instance, Clearpass caches the Machine authentication state. Then when the user logs in, to combines it with the Machine state and provides “full” access. ISE functions the same way.

 

The long-term solution is of course EAP-TEAP, or EAP-chaining.

Userlevel 6
Badge

Hi @zak,

 

Now I think I might have misunderstood @Claudio D'Ascenzo a bit.

In Extreme Access Control machine can get authenticated at boot or when just plugged to the network using machine-related info/cert and then when this or that user logs in, ultimate policy is applied. But the final network authentication on the switch port and ultimate policy are both based on the last authentication that occured for that MAC address. Does it work differently in Clearpass? Are you able to provide an end-system with a certain policy only if both machine and user authentications were successful, not just user auth?

 

Kind regards,

Tomasz

Hi @zak,

 

Now I think I might have misunderstood @Claudio D'Ascenzo a bit.

In Extreme Access Control machine can get authenticated at boot or when just plugged to the network using machine-related info/cert and then when this or that user logs in, ultimate policy is applied. But the final network authentication on the switch port and ultimate policy are both based on the last authentication that occured for that MAC address. Does it work differently in Clearpass? Are you able to provide an end-system with a certain policy only if both machine and user authentications were successful, not just user auth?

 

Kind regards,

Tomasz

@Tomasz , Yes. Clearpass caches the machine authentication for that endpoint. When the user logs in then Clearpass matches that to the machine authentication and allows you to determine if they completed one, or both authentications. So you could have a policy for if the user only passed Machine Authentication, or if they based both User AND Machine authentication. Cisco ISE does this as well.

EAP-TEAP (EAP-Chaining) is not required. However, it IS the best route, and a lot more graceful as EAP-TEAP will submit both sets of creds at once. EAP-TEAP is available in the latest Windows version update.

With that said, I was only pointing out that the supplicant is capable of doing it if the NAC solution provides a machine authentication cache. Extreme Control and Microsoft NPS does not provide this, unfortunately.

You can setup Extreme Control to do the machine login first then have a second rule to do the user authentication. However, this is not the same thing as either will pass if they’re valid credentials. It is not correlating the machine to the user.

Userlevel 6
Badge

Hi @zak,

I see it more clear now, thank you!

Regarding caching the machine authentication state, it’s something that’s not out of the box (kudos to Clearpass and ISE, hoping we could see this here as well). It can be somehow achieved with additional Workflow (kind of XMC extension that can be provided by anyone): https://github.com/extremenetworks/ExtremeScripting/blob/master/Netsight/oneview_workflows/README.md (“User authenticated on domain computer”).

I didn’t see how this caching works on Clearpass so it’s hard for me to tell how similar it is but sounds like that at first sight (machine auth state being cached - MAC remembered in an end-system group to check during user authorization with EAC rules; but caching for how long?).

Not comparing that to the chaining of course, IMHO it’s different and slightly better (so ISE owns in this particular feature I’d say).

Might I ask you for some note on Windows 10 EAP-TEAP support? I don’t see it on my 10.0.18363 under authentication (and now I see some KB is waiting in line, oops...).

 

Kind regards,

Tomasz

Hi everyone.

I came across the same problem as Claudio D'Ascenzo, even though I use wired network. However, after reading all these replies, I’m still not sure, how to configure my Extreme NAC and the Windows supplicant on endpoints in order to validate the machine certificate and then authenticate the user on AD via LDAP. Or if it’s even possible…

Do you have any updates on this topic, perhaps a GTAC manual?

Thank you!

Jakub

Userlevel 5
Badge

Hi all,

 

there are two showstoppers:

  • 802.1X only supports device OR user authentication per authentication session while most Extreme devices do not support reauthentication triggerdd by NAC to get the second shot with 802.1X with username
  • there is no field (column) in XMC/NAC per session for the real “username” when username is filled with hostname after device authentication

We are looking for that since long time ago when Trapeze had that in their wifi solution !!

Yes, it´s possibly working with caching the authenticated device (TLS) and use this behaviour for user authentication (PEAP)…Windows is in this case not a reliable platform with all the dependencies.

Changing the order and start with PEAP (user auth) and validate the device in AD device group is another option. 

At the end of the day, using TLS is the best and most reliable way for secure authentication of a device.

btw: Cisco is using EAP-TEAP for EAP chaining….

 

br

Volker

Userlevel 6
Badge

Hi Jakub,

 

Windows 10 hosts started supporting EAP-TEAP a bit ago but I didn’t play with it yet.

Besides, XMC can provide you a workflow that was linked above. It’s about EAC storing the authenticated host MAC address and verify if the user auth happens from a verified host.

I’d love to see further progress on that. BTW, I’m not that deep in AD/GPO, wouldn’t it be possible to prevent unwanted users from logging in to the laptop, and thus only having to focus on the machine auth on the network side?

 

Kind regards,

Tomasz

Hi Tomasz,

Thank you for your reply. I was talking about the EAP-TEAP with a vendor of our Extreme solutions. They contacted Extreme directly and found out that Extreme NAC does not support EAP-TEAP yet. However, it’s in their road map so hopefully someday…

 Nevertheless, there should be basically two workarounds. The first one is the one you’re describing in your previous post. I can be done either manually or using the workflow you provided.

The second one is to create two rules. First for machine certificate authentication and second one for identity authentication (credentials in AD). For this option you need to set your Windows supplicant for EAP-TEAP authentication, but I was told, that it does not work very well. However, I haven’t tried it myself, so who knows, it may be the way.

I’m not an expert in AD/GPO myself, but I don’t believe that there is a “user-friendly” solution. And even if it was, I would like to assign different VLANs to different groups of users, which wouldn’t be possible, right? The NAC would just let the machine to the network, but I’d have to have a user certificate (which I don’t have) to assign a specific VLAN. With machine certificate only, the NAC would know that the machine is from our company, therefore let it in, but wouldn’t know which user uses it, so I can’t create any user group.

 

Regards,

Jakub

Userlevel 6
Badge

Hi Jakub,

 

I’d love to see this being delivered in some future update.

For the time being, we could try to collect MAC addresses of corporate devices and have this end-system group as an additional criteria for AD users to be AAA’d successfully. This would not help however regarding users logging in from other corp stations than their own ones. It wouldn’t help for MAC spoofing either, but neither 802.1X is resilient against MitM. It’s a matter of risk assessment IMHO.

Wouldn’t there be an attribute that could be applied to corporate devices in AD so they can be verified for this or that VLAN assignment? We can do End-system Group of type “LDAP Host Group” and lookup some attributes for hosts same way as for users in User Group of type “LDAP User Group” (the real difference is this or that section of LDAP connection configuration that is used to pull data).

 

Hope that helps,

Tomasz

Reply