1 2 Previous Next 22 Replies Latest reply: Jul 16, 2014 8:29 AM by Jeff Rensink RSS

    Machine authentication


      Dear all


      What is the differences between user authentication and machine authentication?

      What we know 802.1x/EAP authenticaion, provides which one of them?

      Could anyone explain?


      Thank you

        • 1. Re: Machine authentication
          Pete Nugent

          You can do either for EAP-TLS or PEAP.


          The advantage of machine authentication is that you will can have logon scripts run etc and the user experience is transparent. ie they log on in the normal way as their machine will have authenticated and obtained and IP address just as if they were on a LAN

          • 2. Re: Machine authentication

            The main difference is that machine authentication uses the machine object in Active Directory to query against and User authentication uses the user object.


            Now think about when the machine boots up.  If you use user authentication, then the user doesn't connect to the wireless until after you enter in the user name and password to log into the machines.  Well, computer based policies usually download at boot up, before the user logs in.  So if user authentication is used, the machine doesn't connect to the wireless at boot up and cannot download computer policies.


            I prefer machine authentication myself.  You can acutally use both if you really wanted and that is controlled at the client side.

            • 3. Re: Machine authentication

              Thank you very much Keith, petenugent and Jared for your answers


              From your replies I have understood that

              - 802.1X/EAP is user authentication

              - Machine authentication takes place when machine boots up and runs some scripts


              petenugent, you said EAP-TLS or PEAP can do either.

              From this I understand that 802.1X/EAP does machine authentication too. Am I right?


              I know how 802.1X/EAP works.

              But I can't figure out how machine authentication takes place?

              From where I can learn step-by-step about machine authentication?


              Any links or documents will be very good to understand it

              Again thank you very much

              • 4. Re: Machine authentication

                Machine Authentication still uses 802.1x.  The only difference between the 2 really is what account the supplicant is using to authenticate with.  In a Windows AD environment, you have a computer account and a user account.  As the windows machine boots up, the computer account is used to authenticate to the Wireless using your windows supplicant.  Once connected to the Wireless the computer account is used to log into AD and downloads any machine policies that may be assgined to that computer or various groups it may belong to.


                Then the user login screen appears on the windows device.  Up to this stage, the machine account has been used to attach to the wireless and connect to AD for machine specific policies.  

                • 5. Re: Machine authentication

                  Hi Jared


                  Thank you very much

                  It is clear now



                  • 6. Re: Machine authentication

                    I took me a while to get my head around this as I am not an AD expert.  But I really like machine authetication and have deployed it in my environment.  One can think of it as a secure form of mac authentication because it is machine based only you are using computer objects in AD instead of a list of mac addresses.


                    I wish macs supported this.

                    • 7. Re: Machine authentication

                      Just be aware, that not all machines will be put on a domain, e.g. AD. Therefore one must resort to User Authentication.


                      For a wireless enterpirse environment, for me, user authentication is much much simplier to manage.

                      • 8. Re: Machine authentication

                        Understood.  It all really depends on the requirements of the organization.

                        • 9. Re: Machine authentication


                          • 10. Re: Machine authentication
                            Pete Nugent

                            Any security recomendations have to be tempered with bth client cpabilities and corporate requirements.


                            Usually recomend PEAP machine auth for corp data.

                            Guest Web auth but I have added encryption in the past.


                            Mpst do not want the hassle of EAP-TLS unless security is a real driving factor then we can start up selling AwIPS, wired rogue detection NAC etc.


                            Or ISE now.

                            • 11. Re: Machine authentication
                              Darshan Patel

                              I am trying to setup ISE for Machine Authenctication for corporate laptops, and user authentication  for smart devices?


                              Anyone know how to differentiate Authentication on ISE devices based on Machine and User? and which one to define first?

                              • 12. Re: Machine authentication

                                A machine which is member of Windows AD Domain also has an account in the domain. In fact AD maintains the accounts with the reference called "Security Principle" associated with a machine or user account.


                                A machine account in AD domain is member of Domain Computers whereas User account is member of Domain Computers by default.


                                A machine which is member of Domain, also needs to authenticate as soon as Windows has initialized and "Ctrl+Alt+Delete" or login screen appears, and before

                                user authentication.


                                802.1x is the protocol which encapsulates EAPOL frames and provides authentication framework for both a machine as well as user, before the switch port becomes "Authorized" to send / receive Ethernet frames. EAP provides authentication methods, which are set of request & response messages.


                                A user canot authenticate against AD unless the machine has authenticated, so while creating policy on ISE, machine authentication condition should occur above user authentication. User authentication condition would be dependent on the attribute "ismachineauthenticated"



                                • 13. Re: Machine authentication



                                  If you have enabled Machine or User authentication on your windows laptop, The laptop would send it's machine name in "Host\(machine name)" format to the Radius Server for Authentication. This happens while the machine is booting before the username/password prompt comes up. The only thing is that the machine names should be located in the Active Directory.



                                  When you enter the username/password it is sent across to the Radius server for authentication as well.


                                  Depending on the configuration of the Radius server, you can configure it to allow/deny access if both the machine and user authentication passes or only if one of the two passes.



                                  Check http://www.youtube.com/watch?v=raDFQDTt9uY for more information about configuring ISE for Machine authentication.



                                  Please rate if Helpful




                                  • 14. Re: Machine authentication
                                    Matt Mckenna

                                    Hello all,


                                    I have many users who have AD credentials, but who's machines are not on AD. Many are on local workgroups, some are just standalone PC's.

                                    I was planning to use 802.1x with ISE to pass the users AD credentials via EAP to the radius server, that will in turn refer to AD for the users credentials. I'm pretty confused, as Ashok is saying the user can't authenticate against AD unless the machine has also authed, but Kush is saying you can configure radius to allow/deny access based on user or machine auth.


                                    So the question is, if a user's machine is not in the domain, will I be able to use 802.1x with ISE to enable the user to authenticate on a non domain machine using AD user credentials alone?



                                    1 2 Previous Next