User and machine authentication

Solved
MarcusR
Conversationalist

User and machine authentication

I have searched the forum, but not finding a specific answer.  Is there a way to only allow a user to connect on domain issued devices?  In other words, just because you have credentials to login doesn't mean you can connect with a personal device.

I have seen one or the other method, but not both.

1 Accepted Solution
CptnCrnch
Kind of a big deal
Kind of a big deal

@Johan_Oosterwaa:

Please take a look at https://tools.ietf.org/html/rfc7170 (Tunnel Extensible Authentication Protocol (TEAP) Version 1) or https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#Tunnel_Extensible_Authentication_Pr... as a starting point. 🙂

Also, the link provided to the blog entry about bow it's configured might help further.

 

Btw. and again: Windows is the only OS that differentiates machine from user authentication.

View solution in original post

7 Replies 7
CptnCrnch
Kind of a big deal
Kind of a big deal

That‘s not something that would be Meraki-specific. It mostly depends on your RADIUS and endpoint infrastructure:

 

  • Cisco ISE would allow you to leverage Anyconnect Network Access Manager and EAP chaining („propietary„ solution)
  • Another option is using Cisco ISE other with Win10 2004 and TEAP (the new standard for EAP chaining)
PhilipDAth
Kind of a big deal
Kind of a big deal

No.

 

L2TP over IPSec only supports PAP based authentication.  The standard provides no way to do both a machine and user authentication.

 

When AnyConnect gets released for MX then you could use something like Cisco ISE to achieve this (as pointed out by @CptnCrnch ).

TEAP is the long term dream goal, but we need RADIUS servers to be upgraded to support this, and much broader client support.  Give it 7 more years.

CptnCrnch
Kind of a big deal
Kind of a big deal

@PhilipDAth as we're in the Wirless corner, I didn't think about L2TP over IPSec. 😉

 

TEAP on the other hand is already there, I was able to fiddle around with it last year in October: https://www.ise-support.com/2020/05/29/using-teap-for-eap-chaining/

As Windows is the only OS that seperates User from Machine based authentication, there's no need to dream further. 😉

PhilipDAth
Kind of a big deal
Kind of a big deal

Silly me.

 

But only Windows 10 (and recent Windows 10) supports this, and nothing else.  Correct?

 

 

I think this user might be better off using certificates and not bother with usernames based authentication.

CptnCrnch
Kind of a big deal
Kind of a big deal

Exactly @PhilipDAth. Windows 10 2004 is the first edition that supports TEAP.

 

Btw. you can leverage certificate based authentication for machine and user. 😉

Johan_Oosterwaa
Getting noticed

We use certificate based authentication to only allow domain laptop on our network. 

Most importantly, the EAP protocol is capable of carrying only one Authentication at a given time. It can be either User or Computer and never both. That is Protocol limitation defined in RFC. Thus the AAA or Radius Server has no method of knowing if this request is coming from an unauthenticated machine.

CptnCrnch
Kind of a big deal
Kind of a big deal

@Johan_Oosterwaa:

Please take a look at https://tools.ietf.org/html/rfc7170 (Tunnel Extensible Authentication Protocol (TEAP) Version 1) or https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#Tunnel_Extensible_Authentication_Pr... as a starting point. 🙂

Also, the link provided to the blog entry about bow it's configured might help further.

 

Btw. and again: Windows is the only OS that differentiates machine from user authentication.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels