topic Re: windows 10 credential Guard issue in Network Access Control

windows 10 credential Guard issue

ggriesse@cisco.com — Mon, 14 May 2018 07:11:45 GMT

Hi all

Customer with predominately windows 10 install base .., current Auth schema is EAP-MSCHAPv2

Their standard policy requires Credential Guard to be on by default on the win 10 desktops , from what i have found this seems to disable the ability to use EAP-MSCHAv2 and forces EAP-TLS ...

Other than disabling Credential Guard , is there a way to get this to work ?

This article explains the issue : http://www.iphase.dk/2017/08/14/windows-10-credential-guard-and-cisco-ise-conflicts/

More : http://www.neighborgeek.net/2016/08/windows-10-credential-guard-breaks-wifi.html

Thx

Greg

Re: windows 10 credential Guard issue

nir-r — Mon, 14 May 2018 08:20:29 GMT

1. Disable Credential Guard

On the host operating system, click Start > Run, type gpedit.msc, and click Ok. The Local group Policy Editor opens.

Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security.

Select Disabled.

2. Use AnyConnect NAM instead of Windows 10 802.1x supplicant

Re: windows 10 credential Guard issue

ggriesse@cisco.com — Mon, 14 May 2018 14:26:50 GMT

So Disabling Credential guard is probably out for the customer .. the see it as a risk

If we go with Anyconnect NAM will it allow Eap-MSchapv2 EVEN with CG enabled on OS ?

Re: windows 10 credential Guard issue

ccubeman — Mon, 14 May 2018 14:45:38 GMT

You cannot do EAP-PEAP with Credential Guard enabled. We have a growing Windows10 implementation, and have switched to using machine/user certificates for authentication using EAP-TLS.

Re: windows 10 credential Guard issue

hslai — Mon, 14 May 2018 14:46:25 GMT

I do not believe NAM able to use password-based auth under the circumstance.

Re: windows 10 credential Guard issue

nir-r — Mon, 14 May 2018 15:05:06 GMT

It is working for me with EAP-FAST (EAP-MSCHAPv2)

Re: windows 10 credential Guard issue

Craig Hyps — Mon, 14 May 2018 21:05:54 GMT

I think it will depend where the credentials are stored. If fetched from Windows store, then expect same challenge as native supplicant with PEAP-EAP-MSCHAPv2.

Regarding "So Disabling Credential guard is probably out for the customer .. the see it as a risk", make sure customer understands this is NOT a Cisco ISE limitation but due to security feature that impacts Microsoft's own native supplicant. Certainly the more common workaround for customers wishing to keep Credential Guard is to implement EAP-TLS with certs.

Re: windows 10 credential Guard issue

ccubeman — Mon, 14 May 2018 21:59:51 GMT

This was my experience. EAP-PEAP with MSCHAPv2 is right out. EAP-TLS with machine/user certs was the only manageable method. I will note we use the native supplicant and not NAM.

Re: windows 10 credential Guard issue

Guillaume BARBEROT — Wed, 03 Apr 2019 07:05:13 GMT

Thanks Craig for the response, my only concern moving to EAP-TLS is using computer + user certificates

how can you provision user certs when first logon on the computer ?

we would like to have user certs for user based auth (like using anyconnect ISE posture)

- pre-provisionning user certs is not possible before user logs in

- when using "shared" computers with each person login => then this "first logon" use case will be very common, and should not force to have a special process to get user cert on computer.

1/ Does Anyconnect NAM have some advantages over microsoft native supplicant for this particular issue ?

2/ What does Cisco recommend as workaround to microsoft "credential guard" feature (which i understand is not Cisco's responsability), do you have a "straight" response to that issue customers are facing ?

Thanks

Guillaume

Re: windows 10 credential Guard issue

Jason Kunst — Wed, 03 Apr 2019 13:56:56 GMT

I recommend a posting in the anyconnect community

Re: windows 10 credential Guard issue

Andrii Oliinyk — Tue, 09 Apr 2019 16:24:21 GMT

hello Guill

in case it's still actual for u, just fallback to "Microsoft: SmartCard or other blah-blah" on the client. It will effectively turn PC to request EAP-TLS-only authentication. Meantime configuring ISE for EAP-TLS only is quite straitforward.