Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1415
Views
5
Helpful
2
Replies

ISE - EAP Chaining (TLS vs MSCHAP)

Go to solution
mitchell helton
Level 1
Level 1

‎04-23-2018 08:27 AM - edited ‎02-21-2020 10:54 AM

Good morning!

 

I'm having a tough time wrapping my brain around something, and hope you experts can help.  I also hope this isn't too vague of a question, and if it is, I can give specifics around why I'm asking. 

 

If I'm deploying user certificates via AD/GPO, is there any value in using certificates (EAP-TLS) for user authentication?  If someone captures a username/password, once they login as that user the certificate will be deployed to them any way.

 

Am I missing something?  I had originally wanted to do EAP chaining with TLS for user and machine and now I'm wondering if using TLS for machine and MSCHAPv2 for the user makes more sense.

 

So, I guess my question is, what value does TLS for user authentication have within chaining as opposed to MSCHAPv2?

 

Thank you!

 

mitch

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-24-2018 06:26 AM

Hi,
Using User Certificates for authentication in some environments can be a pain E.g. multiple users logging in and out of the same computer.

I don't see any issue using EAP Chaining (EAP-TLS for Computers and PEAP/MSCHAPv2 for User authentication). As long as the ISE rule is configured specifically = if User and Computer passed authenticiation then permit. If computer authentication fails but user authentication passes, either deny or limit the access with a DACL/TrustSec SGT etc.

HTH

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎04-24-2018 06:26 AM

Hi,
Using User Certificates for authentication in some environments can be a pain E.g. multiple users logging in and out of the same computer.

I don't see any issue using EAP Chaining (EAP-TLS for Computers and PEAP/MSCHAPv2 for User authentication). As long as the ISE rule is configured specifically = if User and Computer passed authenticiation then permit. If computer authentication fails but user authentication passes, either deny or limit the access with a DACL/TrustSec SGT etc.

HTH

Go to solution
mitchell helton
Level 1
Level 1
In response to Rob Ingram

‎04-24-2018 01:05 PM

That sounds reasonable to me.  Thanks so much for the input and advice!

0 Helpful
Customers Also Viewed These Support Documents