This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- Re: Dynamic Policy Without User Certificates
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Dynamic Policy Without User Certificates
Dynamic Policy Without User Certificates
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā10-09-2019 03:19 PM
Hi,
Have a scenario where a customer is using a Windows supplicant and would like to use 802.1x certificate based port authentication.
Machine certs used to only allow corporate machines onto the network and re-auth using user certs when a user logs on to the system with elevated policy privileges dependant on whom logs in - which all works.
The question is; is there a means to elevate dynamic policy rule assignment based on AD group without user certs? The device still uses machine cert to connect to the network but the use of roaming certificates is proving a challenge on the Microsoft side of things, its a little clunky!?. User certs are needed to pass the username as part of the authorisation process to assign the associative rule in NAC based on AD group.
I know you can argument the XMC database with username details, say through kerberos snooping, API integration say with Palo Alto. The problem is in the past when I've tried using this information as part of the NAC rules the information appears after the fact of the port being authenticated.
One example of that was using DHCP fingerprint to determine device type, say a specific printer to complement MAC authentication, but because that information isn't available after the fact of authentication you can't use it.
Its probably possible, and possibly many different ways of doing it, but be interested in anyone's thoughts,
Many thanks in advance
Have a scenario where a customer is using a Windows supplicant and would like to use 802.1x certificate based port authentication.
Machine certs used to only allow corporate machines onto the network and re-auth using user certs when a user logs on to the system with elevated policy privileges dependant on whom logs in - which all works.
The question is; is there a means to elevate dynamic policy rule assignment based on AD group without user certs? The device still uses machine cert to connect to the network but the use of roaming certificates is proving a challenge on the Microsoft side of things, its a little clunky!?. User certs are needed to pass the username as part of the authorisation process to assign the associative rule in NAC based on AD group.
I know you can argument the XMC database with username details, say through kerberos snooping, API integration say with Palo Alto. The problem is in the past when I've tried using this information as part of the NAC rules the information appears after the fact of the port being authenticated.
One example of that was using DHCP fingerprint to determine device type, say a specific printer to complement MAC authentication, but because that information isn't available after the fact of authentication you can't use it.
Its probably possible, and possibly many different ways of doing it, but be interested in anyone's thoughts,
Many thanks in advance
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā10-13-2019 08:20 PM
Martin,
I'm not 100% sure because I never tested your scenario.
In the config 802.1X of the windows PC you must select "User or computer Authentication".
When the computer starts, it will authenticate with the computer credentials giving access to network for GPO updates, etc.
When the user logs on it should send his own user credentials.
If the PC has been authenticated previously matching an AD group it should be registered as an end-system belonging to the AD group (GROUP-YYY). If so, a rule "Authentication is 802.1X (PEAP) and User is in GROUP-XXX and End-System is in GROUP-YYY" should trigger for a domain PC only (belonging to GROUP-YYY).
I'll try to test this this week.
Mig
I'm not 100% sure because I never tested your scenario.
In the config 802.1X of the windows PC you must select "User or computer Authentication".
When the computer starts, it will authenticate with the computer credentials giving access to network for GPO updates, etc.
When the user logs on it should send his own user credentials.
If the PC has been authenticated previously matching an AD group it should be registered as an end-system belonging to the AD group (GROUP-YYY). If so, a rule "Authentication is 802.1X (PEAP) and User is in GROUP-XXX and End-System is in GROUP-YYY" should trigger for a domain PC only (belonging to GROUP-YYY).
I'll try to test this this week.
Mig
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā10-13-2019 08:00 PM
Hi Mig,
Thanks for responding.
Apologies in advance if there is a misunderstanding in my interpretation, appreciate the feedback as it opens the discussion, so these are just my thoughts....
If I take that example and connect any PC with the Windows supplicant enabled for PEAP to the wired or wireless network, I would be presented with a bubble that allows me to input a AD username and password.
Based on the rule for 'User is in GROUP-XXX' authentication would pass on a valid username and password, and authorisation would also pass based on being in GROUP-XXX; I've now connected my non Corporate PC to the network.
This is the problem.
The machine rule would still take place prior using rule 'End-system is in Group-YYY'. Well in fact I would actually configure an NTLM based authentication on this machine in AD because an actual password is stored in AD, and then do an authorisation based on the 'End-system is in Group-YYY'. That's fine, machine is then authenticated, no other machine can connect that way, but its separate to user auth, its not in addition from what I understand - so a simple user auth with PEAP will get you on based on those rules regardless of the machine.
TLS fixes that because its certificate based, and along with GPO and PKI it can be automated. Its secure in part because the issuing of certs is controlled by the root thats controlled by the organisation.
I have solutions working in this way, with machine and user certs. Problem is the supporting infrastructure can be complicated, difficult to manage and diagnose, with PEAP being much simpler but less secure.
Appreciate the trade offs, and well, you want more security comes the complication. The ability to do machine AND user authentication either with just PEAP or machine certs AND user with PEAP would be the perfect answer.
I believe this can be done with custom supplicants, but without an Extreme one available I wondered if there where any other Extreme alternatives or off the shelf ones anyone has used?
Many thanks.
Thanks for responding.
Apologies in advance if there is a misunderstanding in my interpretation, appreciate the feedback as it opens the discussion, so these are just my thoughts....
If I take that example and connect any PC with the Windows supplicant enabled for PEAP to the wired or wireless network, I would be presented with a bubble that allows me to input a AD username and password.
Based on the rule for 'User is in GROUP-XXX' authentication would pass on a valid username and password, and authorisation would also pass based on being in GROUP-XXX; I've now connected my non Corporate PC to the network.
This is the problem.
The machine rule would still take place prior using rule 'End-system is in Group-YYY'. Well in fact I would actually configure an NTLM based authentication on this machine in AD because an actual password is stored in AD, and then do an authorisation based on the 'End-system is in Group-YYY'. That's fine, machine is then authenticated, no other machine can connect that way, but its separate to user auth, its not in addition from what I understand - so a simple user auth with PEAP will get you on based on those rules regardless of the machine.
TLS fixes that because its certificate based, and along with GPO and PKI it can be automated. Its secure in part because the issuing of certs is controlled by the root thats controlled by the organisation.
I have solutions working in this way, with machine and user certs. Problem is the supporting infrastructure can be complicated, difficult to manage and diagnose, with PEAP being much simpler but less secure.
Appreciate the trade offs, and well, you want more security comes the complication. The ability to do machine AND user authentication either with just PEAP or machine certs AND user with PEAP would be the perfect answer.
I believe this can be done with custom supplicants, but without an Extreme one available I wondered if there where any other Extreme alternatives or off the shelf ones anyone has used?
Many thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā10-13-2019 04:26 PM
Martin,
Starting by the end , the solution implies thats you must be able to setup a rule with "Authentication is 802.1X (PEAP) and User is in GROUP-XXX and End-System is in GROUP-YYY"
GROUP-XXX will give you the new role and the GROUP-YYY will validate that the device belongs to the domain (AD-GROUP).
Try forcing a 802.1X/PEAP on the computer instead of TLS.
For the GROUP-YYY de fine a specific group in the AD and assign it to the computer account.
Same logic for the user
The computer should register as end-device with computer access and the end-user auth will change this.
Enable the port link control except if you have multiple devices per port.
Let us know,
Mig
Starting by the end , the solution implies thats you must be able to setup a rule with "Authentication is 802.1X (PEAP) and User is in GROUP-XXX and End-System is in GROUP-YYY"
GROUP-XXX will give you the new role and the GROUP-YYY will validate that the device belongs to the domain (AD-GROUP).
Try forcing a 802.1X/PEAP on the computer instead of TLS.
For the GROUP-YYY de fine a specific group in the AD and assign it to the computer account.
Same logic for the user
The computer should register as end-device with computer access and the end-user auth will change this.
Enable the port link control except if you have multiple devices per port.
Let us know,
Mig
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā10-12-2019 08:59 AM
Hi Bill,
Thanks for responding.
This was considered, and is always a contention point when first introducing authentication.. The solution is both wired and wireless, the issue with EAP-PEAP is that any member of staff, or anyone who has managed to obtain a windows account can login with any device they wish - this is the primary idea of using certs as it offers the highest form of security and specifically addresses that vulnerability.
Certs can then be used to ONLY allow Corporate approved devices and users attaching to the network.
So there lays my conundrum.... I can continue using machine certs, but the windows supplicant can't change the authentication method to say PEAP., although that wouldn't necessarily fix my problem as you still would be able to get on the network with an AD account as the supplicant is only performing computer OR client authentication, not both!
I know there are vendors that use their own supplicants to overcome these problems, and windows is inherently limited.
So I am looking / hoping there is an Extreme solution that could help, hence why I started drifting towards using the API?
Probably need a custom supplicant, but what one could I use?
Many thanks
Thanks for responding.
This was considered, and is always a contention point when first introducing authentication.. The solution is both wired and wireless, the issue with EAP-PEAP is that any member of staff, or anyone who has managed to obtain a windows account can login with any device they wish - this is the primary idea of using certs as it offers the highest form of security and specifically addresses that vulnerability.
Certs can then be used to ONLY allow Corporate approved devices and users attaching to the network.
So there lays my conundrum.... I can continue using machine certs, but the windows supplicant can't change the authentication method to say PEAP., although that wouldn't necessarily fix my problem as you still would be able to get on the network with an AD account as the supplicant is only performing computer OR client authentication, not both!
I know there are vendors that use their own supplicants to overcome these problems, and windows is inherently limited.
So I am looking / hoping there is an Extreme solution that could help, hence why I started drifting towards using the API?
Probably need a custom supplicant, but what one could I use?
Many thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā10-11-2019 07:35 PM
Martin,
Instead of using Certs for Machine and User, would the customer consider using EAP-PEAP? We ran into an issue on an install where the customer wanted to use machine certs, and EAP-PEAP for the user authentication. The problem was that when the user would log on, they would not re-auth.
Using EAP-PEAP with user and computer set, solved the issue. The machine authenticated via NAC using it's AD machine account and got on the network. When the user logs into the computer, the machine account logs out, and the user is then authenticated via NAC using their AD credentials.
Hope this helps.
Bill
Instead of using Certs for Machine and User, would the customer consider using EAP-PEAP? We ran into an issue on an install where the customer wanted to use machine certs, and EAP-PEAP for the user authentication. The problem was that when the user would log on, they would not re-auth.
Using EAP-PEAP with user and computer set, solved the issue. The machine authenticated via NAC using it's AD machine account and got on the network. When the user logs into the computer, the machine account logs out, and the user is then authenticated via NAC using their AD credentials.
Hope this helps.
Bill
