cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

802.1x user authentication and Machine authentication via certificate

802.1x user authentication and Machine authentication via certificate

Claudio_D_Ascen
New Contributor III
Hi All

I have configured a wifi SSID to autenticate user via 802.1x user credential by LDAP Microsoft, using a NAC appliance, where I have configured the below rule, that match a specific LDAP user group, and a specific SSID.

I need to authenticate user & machine in the same time, user via LADP credential and machine via certificate.

Someone could help me?
1 ACCEPTED SOLUTION

JakubS
New Contributor

Hi Tomasz,

Thank you for your reply. I was talking about the EAP-TEAP with a vendor of our Extreme solutions. They contacted Extreme directly and found out that Extreme NAC does not support EAP-TEAP yet. However, itā€™s in their road map so hopefully somedayā€¦

 Nevertheless, there should be basically two workarounds. The first one is the one youā€™re describing in your previous post. I can be done either manually or using the workflow you provided.

The second one is to create two rules. First for machine certificate authentication and second one for identity authentication (credentials in AD). For this option you need to set your Windows supplicant for EAP-TEAP authentication, but I was told, that it does not work very well. However, I havenā€™t tried it myself, so who knows, it may be the way.

Iā€™m not an expert in AD/GPO myself, but I donā€™t believe that there is a ā€œuser-friendlyā€ solution. And even if it was, I would like to assign different VLANs to different groups of users, which wouldnā€™t be possible, right? The NAC would just let the machine to the network, but Iā€™d have to have a user certificate (which I donā€™t have) to assign a specific VLAN. With machine certificate only, the NAC would know that the machine is from our company, therefore let it in, but wouldnā€™t know which user uses it, so I canā€™t create any user group.

 

Regards,

Jakub

View solution in original post

12 REPLIES 12

Tomasz
Valued Contributor II

Hi Jakub,

 

Iā€™d love to see this being delivered in some future update.

For the time being, we could try to collect MAC addresses of corporate devices and have this end-system group as an additional criteria for AD users to be AAAā€™d successfully. This would not help however regarding users logging in from other corp stations than their own ones. It wouldnā€™t help for MAC spoofing either, but neither 802.1X is resilient against MitM. Itā€™s a matter of risk assessment IMHO.

Wouldnā€™t there be an attribute that could be applied to corporate devices in AD so they can be verified for this or that VLAN assignment? We can do End-system Group of type ā€œLDAP Host Groupā€ and lookup some attributes for hosts same way as for users in User Group of type ā€œLDAP User Groupā€ (the real difference is this or that section of LDAP connection configuration that is used to pull data).

 

Hope that helps,

Tomasz

JakubS
New Contributor

Hi Tomasz,

Thank you for your reply. I was talking about the EAP-TEAP with a vendor of our Extreme solutions. They contacted Extreme directly and found out that Extreme NAC does not support EAP-TEAP yet. However, itā€™s in their road map so hopefully somedayā€¦

 Nevertheless, there should be basically two workarounds. The first one is the one youā€™re describing in your previous post. I can be done either manually or using the workflow you provided.

The second one is to create two rules. First for machine certificate authentication and second one for identity authentication (credentials in AD). For this option you need to set your Windows supplicant for EAP-TEAP authentication, but I was told, that it does not work very well. However, I havenā€™t tried it myself, so who knows, it may be the way.

Iā€™m not an expert in AD/GPO myself, but I donā€™t believe that there is a ā€œuser-friendlyā€ solution. And even if it was, I would like to assign different VLANs to different groups of users, which wouldnā€™t be possible, right? The NAC would just let the machine to the network, but Iā€™d have to have a user certificate (which I donā€™t have) to assign a specific VLAN. With machine certificate only, the NAC would know that the machine is from our company, therefore let it in, but wouldnā€™t know which user uses it, so I canā€™t create any user group.

 

Regards,

Jakub

Tomasz
Valued Contributor II

Hi Jakub,

 

Windows 10 hosts started supporting EAP-TEAP a bit ago but I didnā€™t play with it yet.

Besides, XMC can provide you a workflow that was linked above. Itā€™s about EAC storing the authenticated host MAC address and verify if the user auth happens from a verified host.

Iā€™d love to see further progress on that. BTW, Iā€™m not that deep in AD/GPO, wouldnā€™t it be possible to prevent unwanted users from logging in to the laptop, and thus only having to focus on the machine auth on the network side?

 

Kind regards,

Tomasz

Volker_Kull
Contributor

Hi all,

 

there are two showstoppers:

  • 802.1X only supports device OR user authentication per authentication session while most Extreme devices do not support reauthentication triggerdd by NAC to get the second shot with 802.1X with username
  • there is no field (column) in XMC/NAC per session for the real ā€œusernameā€ when username is filled with hostname after device authentication

We are looking for that since long time ago when Trapeze had that in their wifi solution !!

Yes, itĀ“s possibly working with caching the authenticated device (TLS) and use this behaviour for user authentication (PEAP)ā€¦Windows is in this case not a reliable platform with all the dependencies.

Changing the order and start with PEAP (user auth) and validate the device in AD device group is another option. 

At the end of the day, using TLS is the best and most reliable way for secure authentication of a device.

btw: Cisco is using EAP-TEAP for EAP chainingā€¦.

 

br

Volker

GTM-P2G8KFN