Lab Minutes offers free Cisco lab videos to Cisco user community. Each video presents you with a lab scenario, walks you step-by-step through device configurations, and demonstrates particular functionalities so you can watch and learn how they actually work on real devices. Our videos are suited for both beginners and experienced users. Subscribe to our channel to receive the latest video updates. Sign up on our website to get access to a personal video playlist and lab material download.
To do machine authentication with EAP-TLS you need 2 things. 1)Your Certificate Profile should have Binary Certificate Comparison Checked. 2)For Binary Cert Comp to work you need to have your certificate published to the AD. To do this duplicate the computer certificate template and select publish to active directry. What ISE(or ACS) does is that the thumbrint(SHA1 Hash) of your certificate is compared to the thumbprint published to the AD for binary certificate comparision.Without this the machine auth request is treated as a user auth request and so not added to MAR cache.
The WasMachineAuth attribute is now working with ISE 1.2 w/patch#1. I use it in the user authorization condition and it was able to verify the previous machine auth had succeeded.
Actually if you think about this, user AD login has nothing to do with 802.1x authentication. As long as the machine authen passed and you allow the computer to communicate with AD, the user should still be able log into AD, even though that could be his first time, create local user profile, and receive user cert pushed via GPO. Obviously, he will have no other network access at this point but at least he would have the user cert, and can just re-login to get full network access.
Okay, so when using EAP-TLS the user cert must be pre-deployed onto the client machine by IT before attempting to logon using 802.1x. That means in general a domain computer in an enterprise would only be usable by the one user that the PC was assigned to by IT. Any other user (say user2) attempting to login using that computer would fail unless they have IT push down a user2 cert? Btw, i'm having the same trouble with the WasMachineAuth too. I had to remove the Domain User in conditions to work
ISE is smart enough to only use certificate profile with EAP-TLS and username/password on AD or local for PEAP. It doesn't really check them all every time. They were added under the same Ident source seq to save the config. You can separate them if you like and still getting the same result.
The client certs suppos to be pre-deployed (autoenrollment is one method) when the computer is built by IT admin or before ISE is rolled out into the network so by the time users try to access the network using EAP-TLS, they already have the cert to use. Determining domain PC is a part of machine authentication and MAR helps tying user and machine authentication together through the "wasmachineauthenticated" condition.
When ISE performs user cert authentication, it does not involve AD. It only checks with AD for the athorization so I suspect this is why identity store is blank. CN name on the user cert can be anything if you just do authentication. If you also need authorization to work, CN has to be the same as AD username otherwise ISE will not be able to look up the user against AD to fetch the user group info. Only the CN name will show up on the report so that's all you have to query against.
We ran into issue where ISE failed to verify previous machine authentication with native EAP-TLS and we supect that this could be a bug as it was also reported by our other members and that's why we left that part of the video out. Look at our PEAP videos SEC0043 to see how MAR supposes to work. For MAR to work, you need both User and Machine authentication set on the client settings. Please go to the SEC0045 video page on our website and look at the comments section for more detail
Btw, this is great stuff. I was really surprised that you were able to login successfully as Employee1 as well. Initially you've demo'd that only the Admin1 user cert was pushed down to the client machine. So, does the Employee1 user cert get downloaded upon logon due to autoenrollment configured on the certificate template on the CA? Also, I'm really curious how you determine if a client was a domain PC or not, thru the authentic/author policy configs or this MAR feature?
I've noticed that when you drill down on both the machine and user auth entries that there were no Identity Store and Active Directory Domain info? Also, the user name Admin1 seems to be the CN name in the cert. But, what if I wanted to do a report on all the domain users using the AD domain username that have attempted or successfully authenticated? Do I have to assume that the CN name must be a domain user, but can i query on reports using CN names? Displaying the domain name would be ideal.
When u created the identity source seq. u check boxed & selected the cert profile LM_CERT_CN, then added AD1 & then Internal Users. Does this imply that the order of look up is always certs 1st before AD1 & Internal Users? Also, at the bottom of that page you have “Do not access other stores in the sequence and set the “AuthenticationStatus” attribute to “ProcessError” checked? If the order is certs 1st, won't that mean, AD1 or Internal Users will never be used? Applies to access, not Not Found?
Did I miss the part on Machine Access Restriction (MAR) to ensure that a user can access the network only from a domain computer? I will assume that the MAR's part would had demo'd what would had happened if you used the non-domain LM-WIN7-NONCorp computer. How's it done? What I am most curious about is your 802.1x config on your Win7 client, the authentication tab. Did you select "User or computer authentication", "computer authentication" or "user authentication"? These 3 options are confusing