cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Dynamic Policy Without User Certificates

Dynamic Policy Without User Certificates

Anonymous
Not applicable
Hi,

Have a scenario where a customer is using a Windows supplicant and would like to use 802.1x certificate based port authentication.

Machine certs used to only allow corporate machines onto the network and re-auth using user certs when a user logs on to the system with elevated policy privileges dependant on whom logs in - which all works.

The question is; is there a means to elevate dynamic policy rule assignment based on AD group without user certs? The device still uses machine cert to connect to the network but the use of roaming certificates is proving a challenge on the Microsoft side of things, its a little clunky!?. User certs are needed to pass the username as part of the authorisation process to assign the associative rule in NAC based on AD group.

I know you can argument the XMC database with username details, say through kerberos snooping, API integration say with Palo Alto. The problem is in the past when I've tried using this information as part of the NAC rules the information appears after the fact of the port being authenticated.

One example of that was using DHCP fingerprint to determine device type, say a specific printer to complement MAC authentication, but because that information isn't available after the fact of authentication you can't use it.

Its probably possible, and possibly many different ways of doing it, but be interested in anyone's thoughts,

Many thanks in advance
14 REPLIES 14

Anonymous
Not applicable

Thanks Mig.

Let me know how you get on. Interested in the results. Probably need to do some further testing myself.

Look forward to catching up then.

Cheers.

Miguel-Angel_RO
Valued Contributor II

Martin,

Access Control doesnā€™t rely on the hostname.

It will at least check teh mac-address and finger printing to ensure it is the same device.

picking up the hostname will not give access to the network.

Mig

PS:I still need to test the solution proposed before.

Anonymous
Not applicable

Hi Bill,

Thanks for responding.

The forum is great, but sometimes its useful just to have someone else to call and bounce ideas off. Be useful to build a community of like minded people just to chat some times - so open for a call anytime. 

So, I could be wrong here, and perfectly happy to be wrong as simply just want to get the right answers, feel free to shoot me down šŸ™‚

I am also completley splitting hairs here, and get what you are saying and know that would indeed work, but you can still get my laptop on that network because its not machine AND user auth.

The first step if configured properly would do machine NTLM based authentication, perfect, only a corporate machine will get on. When logging in as a user though you are still just doing user authentication and then simply doing hostname (lookup) authorisation based on the rule youā€™ve created.

So, an example might be an emplyee who has a corporate machine and also thereby has a AD account. They decide to bring in their laptop and connect it to the corporate network. They simply change the hostame of the laptop to match their current machine. When they connect it will fail machine authentication, BUT they will presented with the username and password buble for PEAP based authentication of which they will enter their AD credentials. The laptop will then get on the network because the user passed authenticaiton and the hostname passed authorisation because it simply just matches the name based on the end-system configuration, because the hostname is doing authorisation not authentication of the machine. Think I could do the same with my IPhone connecting to wireless, just change the phones name to match a matching hostname that exists in AD of that group, put in my username and password and Iā€™m in.

Again, that is a little over the top but my point is that either using certificates or doing machine AND user authentication is the only way to overcome the porblem of allowing only corporate machines on the network when using some kind of user authenticaton.

Well kind of hoping not, and hopeing someine will put straight on my theory and there is a way around it.

Cheers,

 

Bill_Handler
Contributor II

Martin,

you can set the the rule to filter on the end-system as well as the user group, and use AD to match both conditions.

The first rule would allow the machine to authenticate via 802.1x PEAP using itā€™s AD machine user account, this would allow the machine to get onto the network - as mentioned previously.  

Once the end-user logs on, then authentication is triggered again, and the matching rule can be set to match that userā€™s AD OU/Group/etc. and the machineā€™s AD group as well before allowing access to the network.

We have set this up for our end-customers and it does work as explained.

If a user attempts to gain access with a non-domain device, it fails due to not matching the end-system portion of the rule.

This may be something better explained/shown offline on a call/remote session...

Anonymous
Not applicable
Hi Mig,

Let me know how you get on.

The 'if so' bit it the bit I believe doesn't happen.

The PC authenticates when the machine connects, runs through the rule engine and ends there, accept or reject. When the user logs on the authentication starts again, runs through the rule engine as a fresh request.

I've not seen an option (although it could exist) around the 'if so' part, that would additionally solve the problem.i.e. you could create a rule that remembers or puts that machine into a special group that you can then test on you do a user auth, which says that machine has already passed authentication.

That's made me think though, maybe there is something along those lines that could be done.

I'll give that some thought also

Thanks!
GTM-P2G8KFN