Skip navigation
Cisco Learning Home > Certifications > Wireless (CCNA Wireless) > Discussions

_Communities

This Question is Not Answered 1 Correct Answer available (4 pts) 2 Helpful Answers available (2 pts)
9424 Views 20 Replies Latest reply: Dec 1, 2013 1:05 PM by Jared RSS 1 2 Previous Next

Currently Being Moderated

Machine authentication

Jul 29, 2011 12:38 AM

ebakyt 34 posts since
Mar 9, 2010

Dear all

 

What is the differences between user authentication and machine authentication?

What we know 802.1x/EAP authenticaion, provides which one of them?

Could anyone explain?

 

Thank you

  • Pete Nugent 1,256 posts since
    Dec 8, 2008
    Currently Being Moderated
    1. Jul 29, 2011 4:39 AM (in response to ebakyt)
    Re: Machine authentication

    You can do either for EAP-TLS or PEAP.

     

    The advantage of machine authentication is that you will can have logon scripts run etc and the user experience is transparent. ie they log on in the normal way as their machine will have authenticated and obtained and IP address just as if they were on a LAN

  • Jared 5,498 posts since
    Jul 27, 2008
    Currently Being Moderated
    2. Jul 29, 2011 9:53 AM (in response to ebakyt)
    Re: Machine authentication

    The main difference is that machine authentication uses the machine object in Active Directory to query against and User authentication uses the user object.

     

    Now think about when the machine boots up.  If you use user authentication, then the user doesn't connect to the wireless until after you enter in the user name and password to log into the machines.  Well, computer based policies usually download at boot up, before the user logs in.  So if user authentication is used, the machine doesn't connect to the wireless at boot up and cannot download computer policies.

     

    I prefer machine authentication myself.  You can acutally use both if you really wanted and that is controlled at the client side.

  • Jared 5,498 posts since
    Jul 27, 2008
    Currently Being Moderated
    4. Aug 1, 2011 12:35 PM (in response to ebakyt)
    Re: Machine authentication

    Machine Authentication still uses 802.1x.  The only difference between the 2 really is what account the supplicant is using to authenticate with.  In a Windows AD environment, you have a computer account and a user account.  As the windows machine boots up, the computer account is used to authenticate to the Wireless using your windows supplicant.  Once connected to the Wireless the computer account is used to log into AD and downloads any machine policies that may be assgined to that computer or various groups it may belong to.

     

    Then the user login screen appears on the windows device.  Up to this stage, the machine account has been used to attach to the wireless and connect to AD for machine specific policies.  

  • Jared 5,498 posts since
    Jul 27, 2008
    Currently Being Moderated
    6. Aug 2, 2011 5:43 AM (in response to ebakyt)
    Re: Machine authentication

    I took me a while to get my head around this as I am not an AD expert.  But I really like machine authetication and have deployed it in my environment.  One can think of it as a secure form of mac authentication because it is machine based only you are using computer objects in AD instead of a list of mac addresses.

     

    I wish macs supported this.

  • CCNAMooky 59 posts since
    Jun 23, 2009
    Currently Being Moderated
    7. Aug 14, 2011 11:57 AM (in response to Jared)
    Re: Machine authentication

    Just be aware, that not all machines will be put on a domain, e.g. AD. Therefore one must resort to User Authentication.

     

    For a wireless enterpirse environment, for me, user authentication is much much simplier to manage.

  • Jared 5,498 posts since
    Jul 27, 2008
    Currently Being Moderated
    8. Aug 15, 2011 10:55 AM (in response to CCNAMooky)
    Re: Machine authentication

    Understood.  It all really depends on the requirements of the organization.

  • CCNAMooky 59 posts since
    Jun 23, 2009
    Currently Being Moderated
    9. Aug 17, 2011 4:33 PM (in response to Jared)
    Re: Machine authentication

    True.

  • Pete Nugent 1,256 posts since
    Dec 8, 2008
    Currently Being Moderated
    10. Aug 19, 2011 5:53 AM (in response to CCNAMooky)
    Re: Machine authentication

    Any security recomendations have to be tempered with bth client cpabilities and corporate requirements.

     

    Usually recomend PEAP machine auth for corp data.

    Guest Web auth but I have added encryption in the past.

     

    Mpst do not want the hassle of EAP-TLS unless security is a real driving factor then we can start up selling AwIPS, wired rogue detection NAC etc.

     

    Or ISE now.

  • Darshan Patel 1 posts since
    Aug 11, 2009
    Currently Being Moderated
    11. Mar 26, 2012 5:32 AM (in response to Pete Nugent)
    Re: Machine authentication

    I am trying to setup ISE for Machine Authenctication for corporate laptops, and user authentication  for smart devices?

     

    Anyone know how to differentiate Authentication on ISE devices based on Machine and User? and which one to define first?

  • Ashok 1 posts since
    Apr 26, 2013
    Currently Being Moderated
    12. Apr 26, 2013 12:33 PM (in response to ebakyt)
    Re: Machine authentication

    A machine which is member of Windows AD Domain also has an account in the domain. In fact AD maintains the accounts with the reference called "Security Principle" associated with a machine or user account.

     

    A machine account in AD domain is member of Domain Computers whereas User account is member of Domain Computers by default.

     

    A machine which is member of Domain, also needs to authenticate as soon as Windows has initialized and "Ctrl+Alt+Delete" or login screen appears, and before

    user authentication.

     

    802.1x is the protocol which encapsulates EAPOL frames and provides authentication framework for both a machine as well as user, before the switch port becomes "Authorized" to send / receive Ethernet frames. EAP provides authentication methods, which are set of request & response messages.

     

    A user canot authenticate against AD unless the machine has authenticated, so while creating policy on ISE, machine authentication condition should occur above user authentication. User authentication condition would be dependent on the attribute "ismachineauthenticated"

     

    Regards

  • Kush 11 posts since
    May 14, 2013
    Currently Being Moderated
    13. May 19, 2013 2:06 AM (in response to ebakyt)
    Re: Machine authentication

    Hi,

     

    If you have enabled Machine or User authentication on your windows laptop, The laptop would send it's machine name in "Host\(machine name)" format to the Radius Server for Authentication. This happens while the machine is booting before the username/password prompt comes up. The only thing is that the machine names should be located in the Active Directory.

     

     

    When you enter the username/password it is sent across to the Radius server for authentication as well.

     

    Depending on the configuration of the Radius server, you can configure it to allow/deny access if both the machine and user authentication passes or only if one of the two passes.

     

     

    Check http://www.youtube.com/watch?v=raDFQDTt9uY for more information about configuring ISE for Machine authentication.

     

     

    Please rate if Helpful

     

    Regards,

    Kush

  • Matt Mckenna 1 posts since
    Oct 10, 2013
    Currently Being Moderated
    14. Oct 10, 2013 4:18 AM (in response to Kush)
    Re: Machine authentication

    Hello all,

     

    I have many users who have AD credentials, but who's machines are not on AD. Many are on local workgroups, some are just standalone PC's.

    I was planning to use 802.1x with ISE to pass the users AD credentials via EAP to the radius server, that will in turn refer to AD for the users credentials. I'm pretty confused, as Ashok is saying the user can't authenticate against AD unless the machine has also authed, but Kush is saying you can configure radius to allow/deny access based on user or machine auth.

     

    So the question is, if a user's machine is not in the domain, will I be able to use 802.1x with ISE to enable the user to authenticate on a non domain machine using AD user credentials alone?

     

    thanks!

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)