Extreme Networks

Hi @zak,

I see it more clear now, thank you!

Regarding caching the machine authentication state, it’s something that’s not out of the box (kudos to Clearpass and ISE, hoping we could see this here as well). It can be somehow achieved with additional Workflow (kind of XMC extension that can be provided by anyone): https://github.com/extremenetworks/ExtremeScripting/blob/master/Netsight/oneview_workflows/README.md (“User authenticated on domain computer”).

I didn’t see how this caching works on Clearpass so it’s hard for me to tell how similar it is but sounds like that at first sight (machine auth state being cached - MAC remembered in an end-system group to check during user authorization with EAC rules; but caching for how long?).

Not comparing that to the chaining of course, IMHO it’s different and slightly better (so ISE owns in this particular feature I’d say).

Might I ask you for some note on Windows 10 EAP-TEAP support? I don’t see it on my 10.0.18363 under authentication (and now I see some KB is waiting in line, oops...).

Kind regards,

Tomasz

@Tomasz , Yes. Clearpass caches the machine authentication for that endpoint. When the user logs in then Clearpass matches that to the machine authentication and allows you to determine if they completed one, or both authentications. So you could have a policy for if the user only passed Machine Authentication, or if they based both User AND Machine authentication. Cisco ISE does this as well.

EAP-TEAP (EAP-Chaining) is not required. However, it IS the best route, and a lot more graceful as EAP-TEAP will submit both sets of creds at once. EAP-TEAP is available in the latest Windows version update.

With that said, I was only pointing out that the supplicant is capable of doing it if the NAC solution provides a machine authentication cache. Extreme Control and Microsoft NPS does not provide this, unfortunately.

You can setup Extreme Control to do the machine login first then have a second rule to do the user authentication. However, this is not the same thing as either will pass if they’re valid credentials. It is not correlating the machine to the user.

Hi @zak,

Now I think I might have misunderstood @Claudio D'Ascenzo a bit.

In Extreme Access Control machine can get authenticated at boot or when just plugged to the network using machine-related info/cert and then when this or that user logs in, ultimate policy is applied. But the final network authentication on the switch port and ultimate policy are both based on the last authentication that occured for that MAC address. Does it work differently in Clearpass? Are you able to provide an end-system with a certain policy only if both machine and user authentications were successful, not just user auth?

Kind regards,

Tomasz

@Tomasz 

Machine and User auth is definitely possible with Microsoft’s supplicant. No third party supplicant is necessary. By default, the Windows supplicant tries a Machine authentication at boot. Once the user logs in, then the User is authenticated. 

If Control can’t do it, that’s one thing, but it’s definitely possible with other solutions. For instance, Clearpass caches the Machine authentication state. Then when the user logs in, to combines it with the Machine state and provides “full” access. ISE functions the same way.

The long-term solution is of course EAP-TEAP, or EAP-chaining.