This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- Re: Dynamic Policy Without User Certificates
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Dynamic Policy Without User Certificates
Dynamic Policy Without User Certificates
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-09-2019 03:19 PM
Hi,
Have a scenario where a customer is using a Windows supplicant and would like to use 802.1x certificate based port authentication.
Machine certs used to only allow corporate machines onto the network and re-auth using user certs when a user logs on to the system with elevated policy privileges dependant on whom logs in - which all works.
The question is; is there a means to elevate dynamic policy rule assignment based on AD group without user certs? The device still uses machine cert to connect to the network but the use of roaming certificates is proving a challenge on the Microsoft side of things, its a little clunky!?. User certs are needed to pass the username as part of the authorisation process to assign the associative rule in NAC based on AD group.
I know you can argument the XMC database with username details, say through kerberos snooping, API integration say with Palo Alto. The problem is in the past when I've tried using this information as part of the NAC rules the information appears after the fact of the port being authenticated.
One example of that was using DHCP fingerprint to determine device type, say a specific printer to complement MAC authentication, but because that information isn't available after the fact of authentication you can't use it.
Its probably possible, and possibly many different ways of doing it, but be interested in anyone's thoughts,
Many thanks in advance
Have a scenario where a customer is using a Windows supplicant and would like to use 802.1x certificate based port authentication.
Machine certs used to only allow corporate machines onto the network and re-auth using user certs when a user logs on to the system with elevated policy privileges dependant on whom logs in - which all works.
The question is; is there a means to elevate dynamic policy rule assignment based on AD group without user certs? The device still uses machine cert to connect to the network but the use of roaming certificates is proving a challenge on the Microsoft side of things, its a little clunky!?. User certs are needed to pass the username as part of the authorisation process to assign the associative rule in NAC based on AD group.
I know you can argument the XMC database with username details, say through kerberos snooping, API integration say with Palo Alto. The problem is in the past when I've tried using this information as part of the NAC rules the information appears after the fact of the port being authenticated.
One example of that was using DHCP fingerprint to determine device type, say a specific printer to complement MAC authentication, but because that information isn't available after the fact of authentication you can't use it.
Its probably possible, and possibly many different ways of doing it, but be interested in anyone's thoughts,
Many thanks in advance
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-12-2019 12:05 PM
Hi Martin.
Regarding HA:
- You can have XMC as HA. One of the options is described here.
- If the connection between XMC and engine is not available:
- Timed-out devices are not removed = the list of computers authenticated in the last 24 hours is updated by XMC = not NetOps issue.
- New devices are not added = this might be a NetOps issue. New company-owned devices will be handled as BYOD devices until the connection is established again.
- End-system groups are automatically synchronized in the background = there is no issue for devices already in the list of computers authenticated in the last 24 hours.
- 24 hours is just an example. It is a configurable variable in the workflow.
Regarding supplicant:
- The missing option to combine EAP-TLS and PEAP is a limitation of MS supplicant.
- You can theoretically use custom supplicants...
Regards
Regards
Zdeněk Pala
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-12-2019 11:38 AM
Hi Z,
Thanks for posting back.
That was the exact method I was trying to accomplish but didn’t know how or even if it was possible, didn’t think about workflows! First time I’ve seen a real practical use for it.
That would though make XMC a critical component in the process though right, so redundancy for XMC would need to be considered?
That said, I have a customer that is already using certs and wanted to use dynamic policy based on username without being dependent on a user cert, mainly because of the back-end complications in accomplishing that.
I can’t switch the supplicant from EAP-TLS to PEAP, but wondered if there was another way of doing it, like using Kerberos snooping for example…. the problem is the ‘Authentication’ element, it has to be one or the other, so think I’m stuck without a custom supplicant?
Thanks,
Martin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-12-2019 10:51 AM
Hi Martin.
consider following approach:
- use PEAP for both computer and user
- If there was a computer authenticated less then 24 hours ago then the user authentication is accepted as “User on corporate device”
- If there was no computer authenticated less then 24 hours ago then the user authentication is accepted as “User on non-corporate device”
If the above is acceptable then "User authenticated on domain computer" is the solution for you.
Regards
Zdeněk Pala
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-15-2019 10:21 AM
Martin,
We’ve verified that changing the name does not work when we set this up some time ago. It looks at more than just the hostname when it checks AD.
The best thing to do is to test this for yourself in a test environment, or to see it in action.
