You can do either for EAP-TLS or PEAP.
The advantage of machine authentication is that you will can have logon scripts run etc and the user experience is transparent. ie they log on in the normal way as their machine will have authenticated and obtained and IP address just as if they were on a LAN
The main difference is that machine authentication uses the machine object in Active Directory to query against and User authentication uses the user object.
Now think about when the machine boots up. If you use user authentication, then the user doesn't connect to the wireless until after you enter in the user name and password to log into the machines. Well, computer based policies usually download at boot up, before the user logs in. So if user authentication is used, the machine doesn't connect to the wireless at boot up and cannot download computer policies.
I prefer machine authentication myself. You can acutally use both if you really wanted and that is controlled at the client side.
Thank you very much Keith, petenugent and Jared for your answers
From your replies I have understood that
- 802.1X/EAP is user authentication
- Machine authentication takes place when machine boots up and runs some scripts
petenugent, you said EAP-TLS or PEAP can do either.
From this I understand that 802.1X/EAP does machine authentication too. Am I right?
I know how 802.1X/EAP works.
But I can't figure out how machine authentication takes place?
From where I can learn step-by-step about machine authentication?
Any links or documents will be very good to understand it
Again thank you very much
Machine Authentication still uses 802.1x. The only difference between the 2 really is what account the supplicant is using to authenticate with. In a Windows AD environment, you have a computer account and a user account. As the windows machine boots up, the computer account is used to authenticate to the Wireless using your windows supplicant. Once connected to the Wireless the computer account is used to log into AD and downloads any machine policies that may be assgined to that computer or various groups it may belong to.
Then the user login screen appears on the windows device. Up to this stage, the machine account has been used to attach to the wireless and connect to AD for machine specific policies.
I took me a while to get my head around this as I am not an AD expert. But I really like machine authetication and have deployed it in my environment. One can think of it as a secure form of mac authentication because it is machine based only you are using computer objects in AD instead of a list of mac addresses.
I wish macs supported this.
Just be aware, that not all machines will be put on a domain, e.g. AD. Therefore one must resort to User Authentication.
For a wireless enterpirse environment, for me, user authentication is much much simplier to manage.
Any security recomendations have to be tempered with bth client cpabilities and corporate requirements.
Usually recomend PEAP machine auth for corp data.
Guest Web auth but I have added encryption in the past.
Mpst do not want the hassle of EAP-TLS unless security is a real driving factor then we can start up selling AwIPS, wired rogue detection NAC etc.
Or ISE now.
I am trying to setup ISE for Machine Authenctication for corporate laptops, and user authentication for smart devices?
Anyone know how to differentiate Authentication on ISE devices based on Machine and User? and which one to define first?
A machine which is member of Windows AD Domain also has an account in the domain. In fact AD maintains the accounts with the reference called "Security Principle" associated with a machine or user account.
A machine account in AD domain is member of Domain Computers whereas User account is member of Domain Computers by default.
A machine which is member of Domain, also needs to authenticate as soon as Windows has initialized and "Ctrl+Alt+Delete" or login screen appears, and before
802.1x is the protocol which encapsulates EAPOL frames and provides authentication framework for both a machine as well as user, before the switch port becomes "Authorized" to send / receive Ethernet frames. EAP provides authentication methods, which are set of request & response messages.
A user canot authenticate against AD unless the machine has authenticated, so while creating policy on ISE, machine authentication condition should occur above user authentication. User authentication condition would be dependent on the attribute "ismachineauthenticated"
If you have enabled Machine or User authentication on your windows laptop, The laptop would send it's machine name in "Host\(machine name)" format to the Radius Server for Authentication. This happens while the machine is booting before the username/password prompt comes up. The only thing is that the machine names should be located in the Active Directory.
When you enter the username/password it is sent across to the Radius server for authentication as well.
Depending on the configuration of the Radius server, you can configure it to allow/deny access if both the machine and user authentication passes or only if one of the two passes.
Check http://www.youtube.com/watch?v=raDFQDTt9uY for more information about configuring ISE for Machine authentication.
Please rate if Helpful
I have many users who have AD credentials, but who's machines are not on AD. Many are on local workgroups, some are just standalone PC's.
I was planning to use 802.1x with ISE to pass the users AD credentials via EAP to the radius server, that will in turn refer to AD for the users credentials. I'm pretty confused, as Ashok is saying the user can't authenticate against AD unless the machine has also authed, but Kush is saying you can configure radius to allow/deny access based on user or machine auth.
So the question is, if a user's machine is not in the domain, will I be able to use 802.1x with ISE to enable the user to authenticate on a non domain machine using AD user credentials alone?