cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x user authentication and Machine authentication via certificate

802.1x user authentication and Machine authentication via certificate

Claudio_D_Ascen
New Contributor III
Hi All

I have configured a wifi SSID to autenticate user via 802.1x user credential by LDAP Microsoft, using a NAC appliance, where I have configured the below rule, that match a specific LDAP user group, and a specific SSID.

I need to authenticate user & machine in the same time, user via LADP credential and machine via certificate.

Someone could help me?
1 ACCEPTED SOLUTION

JakubS
New Contributor

Hi Tomasz,

Thank you for your reply. I was talking about the EAP-TEAP with a vendor of our Extreme solutions. They contacted Extreme directly and found out that Extreme NAC does not support EAP-TEAP yet. However, it’s in their road map so hopefully someday…

 Nevertheless, there should be basically two workarounds. The first one is the one you’re describing in your previous post. I can be done either manually or using the workflow you provided.

The second one is to create two rules. First for machine certificate authentication and second one for identity authentication (credentials in AD). For this option you need to set your Windows supplicant for EAP-TEAP authentication, but I was told, that it does not work very well. However, I haven’t tried it myself, so who knows, it may be the way.

I’m not an expert in AD/GPO myself, but I don’t believe that there is a “user-friendly” solution. And even if it was, I would like to assign different VLANs to different groups of users, which wouldn’t be possible, right? The NAC would just let the machine to the network, but I’d have to have a user certificate (which I don’t have) to assign a specific VLAN. With machine certificate only, the NAC would know that the machine is from our company, therefore let it in, but wouldn’t know which user uses it, so I can’t create any user group.

 

Regards,

Jakub

View solution in original post

12 REPLIES 12

JakubS
New Contributor

Hi everyone.

I came across the same problem as Claudio D'Ascenzo, even though I use wired network. However, after reading all these replies, I’m still not sure, how to configure my Extreme NAC and the Windows supplicant on endpoints in order to validate the machine certificate and then authenticate the user on AD via LDAP. Or if it’s even possible…

Do you have any updates on this topic, perhaps a GTAC manual?

Thank you!

Jakub

Tomasz
Valued Contributor II

Hi @zak,

I see it more clear now, thank you!

Regarding caching the machine authentication state, it’s something that’s not out of the box (kudos to Clearpass and ISE, hoping we could see this here as well). It can be somehow achieved with additional Workflow (kind of XMC extension that can be provided by anyone): https://github.com/extremenetworks/ExtremeScripting/blob/master/Netsight/oneview_workflows/README.md (“User authenticated on domain computer”).

I didn’t see how this caching works on Clearpass so it’s hard for me to tell how similar it is but sounds like that at first sight (machine auth state being cached - MAC remembered in an end-system group to check during user authorization with EAC rules; but caching for how long?).

Not comparing that to the chaining of course, IMHO it’s different and slightly better (so ISE owns in this particular feature I’d say).

Might I ask you for some note on Windows 10 EAP-TEAP support? I don’t see it on my 10.0.18363 under authentication (and now I see some KB is waiting in line, oops...).

 

Kind regards,

Tomasz

zak
New Contributor

@Tomasz , Yes. Clearpass caches the machine authentication for that endpoint. When the user logs in then Clearpass matches that to the machine authentication and allows you to determine if they completed one, or both authentications. So you could have a policy for if the user only passed Machine Authentication, or if they based both User AND Machine authentication. Cisco ISE does this as well.

EAP-TEAP (EAP-Chaining) is not required. However, it IS the best route, and a lot more graceful as EAP-TEAP will submit both sets of creds at once. EAP-TEAP is available in the latest Windows version update.

With that said, I was only pointing out that the supplicant is capable of doing it if the NAC solution provides a machine authentication cache. Extreme Control and Microsoft NPS does not provide this, unfortunately.

You can setup Extreme Control to do the machine login first then have a second rule to do the user authentication. However, this is not the same thing as either will pass if they’re valid credentials. It is not correlating the machine to the user.

Tomasz
Valued Contributor II

Hi @zak,

 

Now I think I might have misunderstood @Claudio D'Ascenzo a bit.

In Extreme Access Control machine can get authenticated at boot or when just plugged to the network using machine-related info/cert and then when this or that user logs in, ultimate policy is applied. But the final network authentication on the switch port and ultimate policy are both based on the last authentication that occured for that MAC address. Does it work differently in Clearpass? Are you able to provide an end-system with a certain policy only if both machine and user authentications were successful, not just user auth?

 

Kind regards,

Tomasz

zak
New Contributor

@Tomasz 

Machine and User auth is definitely possible with Microsoft’s supplicant. No third party supplicant is necessary. By default, the Windows supplicant tries a Machine authentication at boot. Once the user logs in, then the User is authenticated. 

If Control can’t do it, that’s one thing, but it’s definitely possible with other solutions. For instance, Clearpass caches the Machine authentication state. Then when the user logs in, to combines it with the Machine state and provides “full” access. ISE functions the same way.

 

The long-term solution is of course EAP-TEAP, or EAP-chaining.

GTM-P2G8KFN