Header Only - DO NOT REMOVE - Extreme Networks
Question

Dynamic Policy Without User Certificates


Userlevel 5
Hi,

Have a scenario where a customer is using a Windows supplicant and would like to use 802.1x certificate based port authentication.

Machine certs used to only allow corporate machines onto the network and re-auth using user certs when a user logs on to the system with elevated policy privileges dependant on whom logs in - which all works.

The question is; is there a means to elevate dynamic policy rule assignment based on AD group without user certs? The device still uses machine cert to connect to the network but the use of roaming certificates is proving a challenge on the Microsoft side of things, its a little clunky!?. User certs are needed to pass the username as part of the authorisation process to assign the associative rule in NAC based on AD group.

I know you can argument the XMC database with username details, say through kerberos snooping, API integration say with Palo Alto. The problem is in the past when I've tried using this information as part of the NAC rules the information appears after the fact of the port being authenticated.

One example of that was using DHCP fingerprint to determine device type, say a specific printer to complement MAC authentication, but because that information isn't available after the fact of authentication you can't use it.

Its probably possible, and possibly many different ways of doing it, but be interested in anyone's thoughts,

Many thanks in advance

14 replies

Userlevel 3
Martin,

Instead of using Certs for Machine and User, would the customer consider using EAP-PEAP? We ran into an issue on an install where the customer wanted to use machine certs, and EAP-PEAP for the user authentication. The problem was that when the user would log on, they would not re-auth.

Using EAP-PEAP with user and computer set, solved the issue. The machine authenticated via NAC using it's AD machine account and got on the network. When the user logs into the computer, the machine account logs out, and the user is then authenticated via NAC using their AD credentials.

Hope this helps.

Bill
Userlevel 5
Hi Bill,

Thanks for responding.

This was considered, and is always a contention point when first introducing authentication.. The solution is both wired and wireless, the issue with EAP-PEAP is that any member of staff, or anyone who has managed to obtain a windows account can login with any device they wish - this is the primary idea of using certs as it offers the highest form of security and specifically addresses that vulnerability.

Certs can then be used to ONLY allow Corporate approved devices and users attaching to the network.

So there lays my conundrum.... I can continue using machine certs, but the windows supplicant can't change the authentication method to say PEAP., although that wouldn't necessarily fix my problem as you still would be able to get on the network with an AD account as the supplicant is only performing computer OR client authentication, not both!

I know there are vendors that use their own supplicants to overcome these problems, and windows is inherently limited.

So I am looking / hoping there is an Extreme solution that could help, hence why I started drifting towards using the API?

Probably need a custom supplicant, but what one could I use?

Many thanks
Martin,

Starting by the end , the solution implies thats you must be able to setup a rule with "Authentication is 802.1X (PEAP) and User is in GROUP-XXX and End-System is in GROUP-YYY"
GROUP-XXX will give you the new role and the GROUP-YYY will validate that the device belongs to the domain (AD-GROUP).

Try forcing a 802.1X/PEAP on the computer instead of TLS.
For the GROUP-YYY de fine a specific group in the AD and assign it to the computer account.
Same logic for the user
The computer should register as end-device with computer access and the end-user auth will change this.
Enable the port link control except if you have multiple devices per port.

Let us know,

Mig
Userlevel 5
Hi Mig,

Thanks for responding.

Apologies in advance if there is a misunderstanding in my interpretation, appreciate the feedback as it opens the discussion, so these are just my thoughts....

If I take that example and connect any PC with the Windows supplicant enabled for PEAP to the wired or wireless network, I would be presented with a bubble that allows me to input a AD username and password.

Based on the rule for 'User is in GROUP-XXX' authentication would pass on a valid username and password, and authorisation would also pass based on being in GROUP-XXX; I've now connected my non Corporate PC to the network.

This is the problem.

The machine rule would still take place prior using rule 'End-system is in Group-YYY'. Well in fact I would actually configure an NTLM based authentication on this machine in AD because an actual password is stored in AD, and then do an authorisation based on the 'End-system is in Group-YYY'. That's fine, machine is then authenticated, no other machine can connect that way, but its separate to user auth, its not in addition from what I understand - so a simple user auth with PEAP will get you on based on those rules regardless of the machine.

TLS fixes that because its certificate based, and along with GPO and PKI it can be automated. Its secure in part because the issuing of certs is controlled by the root thats controlled by the organisation.

I have solutions working in this way, with machine and user certs. Problem is the supporting infrastructure can be complicated, difficult to manage and diagnose, with PEAP being much simpler but less secure.

Appreciate the trade offs, and well, you want more security comes the complication. The ability to do machine AND user authentication either with just PEAP or machine certs AND user with PEAP would be the perfect answer.

I believe this can be done with custom supplicants, but without an Extreme one available I wondered if there where any other Extreme alternatives or off the shelf ones anyone has used?

Many thanks.
Martin,

I'm not 100% sure because I never tested your scenario.

In the config 802.1X of the windows PC you must select "User or computer Authentication".
When the computer starts, it will authenticate with the computer credentials giving access to network for GPO updates, etc.
When the user logs on it should send his own user credentials.
If the PC has been authenticated previously matching an AD group it should be registered as an end-system belonging to the AD group (GROUP-YYY). If so, a rule "Authentication is 802.1X (PEAP) and User is in GROUP-XXX and End-System is in GROUP-YYY" should trigger for a domain PC only (belonging to GROUP-YYY).

I'll try to test this this week.

Mig
Userlevel 5
Hi Mig,

Let me know how you get on.

The 'if so' bit it the bit I believe doesn't happen.

The PC authenticates when the machine connects, runs through the rule engine and ends there, accept or reject. When the user logs on the authentication starts again, runs through the rule engine as a fresh request.

I've not seen an option (although it could exist) around the 'if so' part, that would additionally solve the problem.i.e. you could create a rule that remembers or puts that machine into a special group that you can then test on you do a user auth, which says that machine has already passed authentication.

That's made me think though, maybe there is something along those lines that could be done.

I'll give that some thought also

Thanks!
Userlevel 3

Martin,

you can set the the rule to filter on the end-system as well as the user group, and use AD to match both conditions.

The first rule would allow the machine to authenticate via 802.1x PEAP using it’s AD machine user account, this would allow the machine to get onto the network - as mentioned previously.  

Once the end-user logs on, then authentication is triggered again, and the matching rule can be set to match that user’s AD OU/Group/etc. and the machine’s AD group as well before allowing access to the network.

We have set this up for our end-customers and it does work as explained.

If a user attempts to gain access with a non-domain device, it fails due to not matching the end-system portion of the rule.

This may be something better explained/shown offline on a call/remote session...

Userlevel 5

Hi Bill,

Thanks for responding.

The forum is great, but sometimes its useful just to have someone else to call and bounce ideas off. Be useful to build a community of like minded people just to chat some times - so open for a call anytime. 

So, I could be wrong here, and perfectly happy to be wrong as simply just want to get the right answers, feel free to shoot me down :)

I am also completley splitting hairs here, and get what you are saying and know that would indeed work, but you can still get my laptop on that network because its not machine AND user auth.

The first step if configured properly would do machine NTLM based authentication, perfect, only a corporate machine will get on. When logging in as a user though you are still just doing user authentication and then simply doing hostname (lookup) authorisation based on the rule you’ve created.

So, an example might be an emplyee who has a corporate machine and also thereby has a AD account. They decide to bring in their laptop and connect it to the corporate network. They simply change the hostame of the laptop to match their current machine. When they connect it will fail machine authentication, BUT they will presented with the username and password buble for PEAP based authentication of which they will enter their AD credentials. The laptop will then get on the network because the user passed authenticaiton and the hostname passed authorisation because it simply just matches the name based on the end-system configuration, because the hostname is doing authorisation not authentication of the machine. Think I could do the same with my IPhone connecting to wireless, just change the phones name to match a matching hostname that exists in AD of that group, put in my username and password and I’m in.

Again, that is a little over the top but my point is that either using certificates or doing machine AND user authentication is the only way to overcome the porblem of allowing only corporate machines on the network when using some kind of user authenticaton.

Well kind of hoping not, and hopeing someine will put straight on my theory and there is a way around it.

Cheers,

 

Martin,

Access Control doesn’t rely on the hostname.

It will at least check teh mac-address and finger printing to ensure it is the same device.

picking up the hostname will not give access to the network.

Mig

PS:I still need to test the solution proposed before.

Userlevel 5

Thanks Mig.

Let me know how you get on. Interested in the results. Probably need to do some further testing myself.

Look forward to catching up then.

Cheers.

Userlevel 3

Martin,

We’ve verified that changing the name does not work when we set this up some time ago.  It looks at more than just the hostname when it checks AD.

 

The best thing to do is to test this for yourself in a test environment, or to see it in action.

Userlevel 7

Hi Martin.

 

consider following approach:

  • use PEAP for both computer and user
  • If there was a computer authenticated less then 24 hours ago then the user authentication is accepted as “User on corporate device”
  • If there was no computer authenticated less then 24 hours ago then the user authentication is accepted as “User on non-corporate device”

If the above is acceptable then "User authenticated on domain computer" is the solution for you.

 

Userlevel 5

Hi Z,

Thanks for posting back.

That was the exact method I was trying to accomplish but didn’t know how or even if it was possible, didn’t think about workflows! First time I’ve seen a real practical use for it.

That would though make XMC a critical component in the process though right, so redundancy for XMC would need to be considered?

That said, I have a customer that is already using certs and wanted to use dynamic policy based on username without being dependent on a user cert, mainly because of the back-end complications in accomplishing that.

I can’t switch the supplicant from EAP-TLS to PEAP, but wondered if there was another way of doing it, like using Kerberos snooping for example…. the problem is the ‘Authentication’ element, it has to be one or the other, so think I’m stuck without a custom supplicant?

Thanks,

Martin

Userlevel 7

Hi Martin.

 

Regarding HA:

  • You can have XMC as HA. One of the options is described here.
  • If the connection between XMC and engine is not available:
    • Timed-out devices are not removed = the list of computers authenticated in the last 24 hours is updated by XMC = not NetOps issue.
    • New devices are not added = this might be a NetOps issue. New company-owned devices will be handled as BYOD devices until the connection is established again.
    • End-system groups are automatically synchronized in the background = there is no issue for devices already in the list of computers authenticated in the last 24 hours.
  • 24 hours is just an example. It is a configurable variable in the workflow.

Regarding supplicant:

  • The missing option to combine EAP-TLS and PEAP is a limitation of MS supplicant.
  • You can theoretically use custom supplicants...

Regards

Reply