User Profile Authentication Dependency

  • 2
  • Idea
  • Updated 1 year ago
Issue
How to stop staff authenticating to the corporate WLAN (802.1X authentication) using domain credentials and their personal Windows laptop.

Issue Description
When a 802.1X WLAN is created with wireless clients using both machine (computer) and user authentication the wireless client authenticates twice:

* Machine (computer) authentication occurs before Windows displays the CTRL+ALT+DEL screen. When RADIUS returns the user profile attribute the wireless client is matched into the user profile with the same attribute.

* User authentication occurs after the user enters their domain credentials at the CTRL+ALT+DEL screen. When RADIUS returns the user profile attribute the wireless client is (i) moved from the previously mentioned machine authentication user profile to the user authentication user profile or (ii) if no machine authentication has occurred the wireless client is placed into the user authentication user profile.

The issue is that if a staff member uses their domain credentials on their own Windows device machine authentication will not occur (as the staff member's own Windows device will not initiate it) and the wireless device, after the staff member's credentials are validated, will be placed into the user authentication user profile.

There is currently no way to stop a wireless client successfully user authenticating if machine (computer) authentication has not occurred or has been unsuccessful.

If client classification rules are defined to reclassify Windows devices with an unknown device domain object users can get around the client classification rules by entering their username as domain\username rather then just username. When this occurs the staff member's Windows device will be matched into the user authentication user profile and an unmanaged device now has access to the domain.

Possible Resolution #1
I would like to be able to define a user profile dependency so a wireless client can only be matched into one user profile if it is already a member of another user profile.

What I need this for is 802.1X authentication using machine and user authentication:

1. The wireless client with a MAC address of 01:23:45:67:89:ab is powered on.
2. The wireless client completes 802.1X machine authentication using host\hostname.
3. The RADIUS server returns the attribute matching the 802.1X-Machine-Auth user profile.
4. The wireless client is assigned the 802.1X-Machine-Auth user profile due to the returned RADIUS attribute.
5. The user enters their domain credentials at the CTRL+ALT+DEL screen.
6. The wireless client completes 802.1X user authentication using domain\username.
7. The RADIUS server returns the attribute matching the 802.1X-User-Auth user profile.
8. As the 802.1X-User-Auth user profile has a user profile dependency of the 802.1X-Machine-Auth user profile the access point checks if a wireless client with the MAC address 01:23:45:67:89:ab is currently assigned the 802.1X-Machine-Auth user profile.
9. As the wireless client is currently assigned the 802.1X-Machine-Auth user profile the user profile assignment is changed to the 802.1X-User-Auth user profile.
10. If the wireless client was not already assigned the 802.1X-Machine-Auth user profile it would be deauthenticated (this could be an user definable option as to what process should occur if the user profile dependency is invalid).

Possible Resolution #2
Another option is to implement a machine authentication MAC address table and when a wireless client completes machine authentication the MAC address of the wireless client is placed into the machine authentication MAC address table. When a wireless client successfully completes user authentication the wireless client's MAC address is looked up in the machine authentication MAC address table and, if it is located, the machine+user authentication process is completed.

This method is currently utilised by Aruba. The machine authentication MAC address table is stored on the Aruba wireless LAN controller and you can see the machine authentication MAC address table using the CLI command show dot1x machine-auth-table.

The Cisco Access Control Server (ACS) has similar functionality where you can add a check in the user authentication rule so the rule is only matched if the wireless client is machine authenticated.

Why Not Just Use Machine (Computer) Authentication?
A number of sites just implement machine (computer) authentication and let the domain handle the user authentication, which is a workaround. The issue with implementing this workaround is that the HiveManager is only able to identify the wireless client and not the user. This is an issue if:

* You want to have client level reporting within HiveManager.
* You want to restrict access to specific staff members rather than just specific domain devices.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes

Posted 5 years ago

  • 2
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The issue is fundementally with the typical EAP types not supporting chaining (EAP-PEAP, EAP-TTLS and EAP-TLS), something which EAP-TEAP is meant to ultimately resolve.

The proper solution has to be getting the TEAP EAP type ratified and implemented in supplicants and authentication servers.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Agreed but our clients need a solution today as they want their wireless networks today.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The question is how do you bind the two authentication processes securely. If you use the MAC address alone to bind, it would be security vulnerable from another client that spoofs the MAC address. There is a race condition here too that a third party could exploit.

I cannot see that there is a complete solution until we get EAP-TEAP.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Has EAP-TEAP been ratified? I am finding contradicting information on it.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Sadly not... The latest draft is from September 2013:

http://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-09

It does not stop anybody implementing it, however, and it is unlikely to change now in any substantial way.

PEAP is a non-ratified draft from years ago...
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Interesting but after a quick glance it looks like it may have some of the same issues as EAP-FAST around security.

That said, you never really know until the standard is ratified and you have a go at hacking it in a lab.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The Aruba solution is likely to be completely and trivially broken as you can probably:

1) Perform the first device/machine phase of the authentication on the approved device and silence it.

2) Before any time out occurs, perform the second user phase on another device that spoofs the MAC address of the first.

If you need a quick, insecure workaround, why not just perform user authentication only and use the MAC address of the client to decide if you're going to allow it on or not?

For a secure solution today, have you considered using Cisco's AnyConnect supplicant with ACS/ISE as the RADIUS back end that can perform chaining by using an EAP type they implement/control?

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf

A potential caveat here is that there is presently a bug in HiveOS's accounting whereby an Acct-Session-Id is not sent in the Accounting-On and Accounting-Off forms of Accounting-Request packets. Cisco's ACS/ISE will probably expect by-the-book behaviour and error to some degree.

See the following for reference:
http://community.aerohive.com/aerohive/topics/radius_accounting_issue_with_330_and_320_series_aps

Nick
Photo of thewifigeek

thewifigeek, Champ

  • 86 Posts
  • 12 Reply Likes
Additional info, ISE default MAB and 802.1X looks for Service-Type Condition values "Framed" and "Call Check" respectively. The Aerohive APs do not send these when processing MAC auth or 802.1X requests to RADIUS.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
I suppose my issues with waiting for EAP-TEAP are:

1. When is it going to be ratified? Q1 2014? Q3 2014? Q2 2015?

2. Will it be natively supported by Windows? (even if after a hotfix update). As EAP-TTLS wasn't natively supported by Windows it just got killed by EAP-PEAP. Asking clients to license EAP clients causes license management and cost issues.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
AnyConnect when just used as a supplicant is free to Cisco customers with an existing SMARTnet contract of any kind. No licence key is required either, it just installs. It is just the server that would need to be licensed.

No idea when TEAP will actually get ratified...

It is the first standards based tunnelling EAP type to attempt to mop up the mess so I suspect it will be supported by Windows.

PEAP was added to XP via SP1 so it is very possible they will do a hotfix or SP inclusion:

http://support.microsoft.com/kb/325725

Another option, if just supporting Windows clients from XP SP3 or newer, is to write your own SHA and SHV to ensure the client is domain joined or approved when user authentication occurs using the NAP API to extend PEAP with a custom SoH:

http://download.microsoft.com/download/a/f/d/afdfd50d-6eb9-425e-84e1-b4085a80e34e/svr-t343_wh07.pptx

http://msdn.microsoft.com/en-us/library/windows/desktop/aa369712.aspx

http://code.msdn.microsoft.com/windowsdesktop/SHA-SHV-QEC-Sample-f975ceaf

If I get bored, I will have a look at how one might achieve that...

Another option for Windows would be to implement the TEAP EAP type from scratch based on the latest draft and plug it in to the native supplicant...
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Nick, do you ever sleep? :-)

I did some more research on this:

The Cisco machine authentication validation is called Machine Access Restrictions (MAR) and has the following limitations:

* ACS earlier than 5.4 - MAR is localised only
* ACS 5.4 or later - MAR works across multiple nodes
* ISE - MAR is localised only

AnyConnect uses EAP-FASTv2, which is a Cisco proprietary protocol. EAP-FASTv2 supports authentication chaining but has extremely limited vendor support.

It all looks a bit messy at the moment. EAP-TEAP appears to resolve my issue but when can I have it?
Photo of thewifigeek

thewifigeek, Champ

  • 86 Posts
  • 12 Reply Likes
EAP-FAST is industry standard | RFC 4851

Another way of looking at authenticating domain managed machines/users is using client certificates (non-exportable certs) so you don't need to enable MAR. MAR fails in any of the following:
1. user hibernates laptop
2. Windows only
3. user docks laptop (Ethernet connected) then undocks to Wi-Fi connection. RADIUS hasn't seen Machine Auth so fails wifi.

Your use case, domain user on non-managed device would authenticate via either PEAP-MSCHAPv2 or MAC Authentication + PEAP-MSCHAPv2.

If you are still concerned about the posture of the users device then perhaps consider pushing the users to the DMZ or onto a VRF network.

All I'm saying, there is no silver bullet so design multiple layers of defence. Also note, it has to be simple for the user otherwise they won't use the solution.

Hope this helps.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Do you have a preferred EAP-FAST module for Windows?  The standard Cisco ECPNode module is a pain to deploy across a large number of laptops.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
EAP-FAST, yes an RFC, is a Cisco designed protocol that nobody outside of Cisco really implements.

EAP-TEAP is based on EAP-FAST and is the upcoming standard that will likely get implemented across the industry.
Photo of jenifferhomes

jenifferhomes

  • 1 Post
  • 0 Reply Likes
User authentication occurs after the user enters their domain credentials at the CTRL+ALT+DEL screen. When RADIUS returns the user profile attribute the wireless client is (i) moved from the previously mentioned machine authentication user profile to the user authentication user profile or (ii) if no machine authentication has occurred the wireless client is placed into the user authentication user profile. The question is how do you bind the two authentication processes securely. If you use the MAC address alone to bind, it would be security vulnerable from another client that spoofs the MAC address. There is a race condition here too that a third party could exploit.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
We have gone done the EAP-TLS route to get around the issue with PEAP MSCHAPv2.
Photo of thewifigeek

thewifigeek, Champ

  • 86 Posts
  • 12 Reply Likes
Crowdie, glad to hear it :-)  

If you are using Microsoft NPS you could also secure TLS connections against RADIUS cert signed by private CA and then have PEAP connections present RADIUS cert signed by public CA.  I believe this is a balance between security and flexibility for some BYOD devices.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
That is exactly what I have designed.  EAP-TLS authenticated devices/users are placed into a trusted "zone" while PEAP MSCHAPv2 authenticated users are placed into a semi-trusted "zone".
Photo of Elisha Arko

Elisha Arko

  • 5 Posts
  • 0 Reply Likes
It's urgent, can someone help pls. Does EAP Authentication has limitations on number of users on a network. I dont remember doing limitations on both server and gateway but users on the network gets disconnected after a period of time even when they are working.   
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Are you looking to limit the number of users on a WLAN?
Photo of Elisha Arko

Elisha Arko

  • 5 Posts
  • 0 Reply Likes
no pls. But rather the users get disconnected and I dont really know the cause of the disconnection. 
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
A couple of questions:
  • Which EAP type (EAP-TLS, PEAP MSCHAPv2, etc.) are you utilizing?
  • In the AAA Client Settings have you enabled "Permit Dynamic Change of Authorization Messages (RFC 3576)"?
  • In the Client Monitor area what are you seeing when the client disconnects?
Photo of Elisha Arko

Elisha Arko

  • 5 Posts
  • 0 Reply Likes
1. EAP - PEAP.

Pls Where can I locate the AAA Client Settings and the Client Monitor in server 2012. 
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
The AAA Client Settings and Client Monitor are located in the HiveManager.

The AAA Client Settings are located at Configuration -> Advanced Configuration -> Authentication.

The Client Monitor is located at Tools -> Client Monitor.
Photo of Elisha Arko

Elisha Arko

  • 5 Posts
  • 0 Reply Likes
Champ, this might sound funny but you need to help me out. I dont use HiveManager on the server. But you can let me know if that can be of use to advance my system please. 

I am using the Network Policy configuration system on the server 2012. So really point to the exact configuration you are describing. 

You can inbox me for any personal discussions as well if you should give to me your email. mine is elishaarko@yahoo.com

Hear from you please
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
HiveManager is the wireless network management service - it is used to configure the access points.  You need to use the HiveManager to configure the access points to use the Network Policy Server (Windows RADIUS service) on Windows 2008 and 2012.

The AAA Client Settings is the area of the HiveManager where you point the access points to the Windows 2008/2012 Server running NPS.

The Client Monitor is a tool in HiveManager that shows the traffic to and from the wireless client during authentication.  It is used to fault find 802.1x and other authentication issues.

Your earlier post alluded to wireless clients being able to authenticate via 802.1x but, after a period of time, disconnect.  This does not sound like an 802.1x issue.
(Edited)
Photo of Elisha Arko

Elisha Arko

  • 5 Posts
  • 0 Reply Likes
Ok Champ. But I am using Nanostation M2 access points but not hive access points. Can I still install the Hive Manager tool and if Yes where can I download it. 

@this... Your earlier post alluded to wireless clients being able to authenticate via 802.1x but, after a period of time, disconnect.  This does not sound like an 802.1x issue.

What could cause that if you have any idea.