Header Only - DO NOT REMOVE - Extreme Networks
Question

802.1x user authentication and Machine authentication via certificate

  • 31 May 2019
  • 7 replies
  • 2259 views

Userlevel 1
Badge
Hi All

I have configured a wifi SSID to autenticate user via 802.1x user credential by LDAP Microsoft, using a NAC appliance, where I have configured the below rule, that match a specific LDAP user group, and a specific SSID.

I need to authenticate user & machine in the same time, user via LADP credential and machine via certificate.

Someone could help me?

7 replies

Userlevel 6
Badge
Hi Claudio,

If you want to do user + machine authentication, native MS Windows supplicant will not allow you to do this as for now (only user OR machine authentication). This thing what you want is sometimes referred as EAP Chaining. It is reachable with 3rd party supplicant software like https://github.com/Amebis/GEANTLink (but mentioned as experimental). I'm not sure but maybe SecureW2 also enables devices for that. Maybe there are some others, of course besides Cisco's proprietary supplicant. ;)

I'm also curious if somebody here has some field-proven supplicant software example for this.

Hope that helps,
Tomasz
Userlevel 5
Badge
I would be interested in a supplicant also, as I've have customers that want certificate authentication for machines (EAP-TLS) and straight user login (PEAP) when logging in - although that isn't necessary, and a lot more secure and standards based to use certificates for both - no need for a custom / propitiatory supplicant then.

Although you can't do both at the same time, think I'm right in saying you can use both machine and user authentication in the manner requested, you just basically authenticate twice.

When the laptop connects to the network it will initially do machine based authentication, then when logging in it will then do user authentication - this is how I've configured it in the past.

This is based on using certificate base EAP-TLS authentication in both cases, so the supplicant doesn't need to change between different methods i.e. you can just use the windows native supplicant.

In both cases you can use LDAP to validate the authorisation allowed. The advantage to also doing user certificate based authentication (simplicity, security, and standards based aside) is that you can elevate policy roles based on the user logged in, whereas machine authentication is just based on the machine.

You can configure the windows client to log on first to initially pull down the client certificate to end-system so its portable whenever you log into any end-system that doesn't already have a user certificate in its local repository.

Hope that helps?
Userlevel 1
Badge
Thanks a lot to All

@Tomasz 

Machine and User auth is definitely possible with Microsoft’s supplicant. No third party supplicant is necessary. By default, the Windows supplicant tries a Machine authentication at boot. Once the user logs in, then the User is authenticated. 

If Control can’t do it, that’s one thing, but it’s definitely possible with other solutions. For instance, Clearpass caches the Machine authentication state. Then when the user logs in, to combines it with the Machine state and provides “full” access. ISE functions the same way.

 

The long-term solution is of course EAP-TEAP, or EAP-chaining.

Userlevel 6
Badge

Hi @zak,

 

Now I think I might have misunderstood @Claudio D'Ascenzo a bit.

In Extreme Access Control machine can get authenticated at boot or when just plugged to the network using machine-related info/cert and then when this or that user logs in, ultimate policy is applied. But the final network authentication on the switch port and ultimate policy are both based on the last authentication that occured for that MAC address. Does it work differently in Clearpass? Are you able to provide an end-system with a certain policy only if both machine and user authentications were successful, not just user auth?

 

Kind regards,

Tomasz

Hi @zak,

 

Now I think I might have misunderstood @Claudio D'Ascenzo a bit.

In Extreme Access Control machine can get authenticated at boot or when just plugged to the network using machine-related info/cert and then when this or that user logs in, ultimate policy is applied. But the final network authentication on the switch port and ultimate policy are both based on the last authentication that occured for that MAC address. Does it work differently in Clearpass? Are you able to provide an end-system with a certain policy only if both machine and user authentications were successful, not just user auth?

 

Kind regards,

Tomasz

@Tomasz , Yes. Clearpass caches the machine authentication for that endpoint. When the user logs in then Clearpass matches that to the machine authentication and allows you to determine if they completed one, or both authentications. So you could have a policy for if the user only passed Machine Authentication, or if they based both User AND Machine authentication. Cisco ISE does this as well.

EAP-TEAP (EAP-Chaining) is not required. However, it IS the best route, and a lot more graceful as EAP-TEAP will submit both sets of creds at once. EAP-TEAP is available in the latest Windows version update.

With that said, I was only pointing out that the supplicant is capable of doing it if the NAC solution provides a machine authentication cache. Extreme Control and Microsoft NPS does not provide this, unfortunately.

You can setup Extreme Control to do the machine login first then have a second rule to do the user authentication. However, this is not the same thing as either will pass if they’re valid credentials. It is not correlating the machine to the user.

Userlevel 6
Badge

Hi @zak,

I see it more clear now, thank you!

Regarding caching the machine authentication state, it’s something that’s not out of the box (kudos to Clearpass and ISE, hoping we could see this here as well). It can be somehow achieved with additional Workflow (kind of XMC extension that can be provided by anyone): https://github.com/extremenetworks/ExtremeScripting/blob/master/Netsight/oneview_workflows/README.md (“User authenticated on domain computer”).

I didn’t see how this caching works on Clearpass so it’s hard for me to tell how similar it is but sounds like that at first sight (machine auth state being cached - MAC remembered in an end-system group to check during user authorization with EAC rules; but caching for how long?).

Not comparing that to the chaining of course, IMHO it’s different and slightly better (so ISE owns in this particular feature I’d say).

Might I ask you for some note on Windows 10 EAP-TEAP support? I don’t see it on my 10.0.18363 under authentication (and now I see some KB is waiting in line, oops...).

 

Kind regards,

Tomasz

Reply