topic Re: Machine authentication on Windows 10 without using Cisco ISE or similar solutions in Network Access Control

Machine authentication on Windows 10 without using Cisco ISE or similar solutions

mhdganji110 — Thu, 23 Jul 2020 13:17:50 GMT

Hi,

I know it may looks weird but as we use Cisco devices and ISE is one of the bests for NAC, I'm asking the question here hoping to find some help.

As we know, NAP service or agent is not included on windows 10. Prior to it (on windows 7) we used NAP and NPS to control and prevent non joined computers to get access to network. With windows 10 this is not an option and I don't like to get involved with complexity and costs of Cisco ISE and solutions like that. Is there anyway for this to be done using methods like certificates or so?

P.S.

MAC filtering and security, DHCP or solutions like that are not acceptable cause we cannot wholly prevent people bringing their own devices to work (So they can change their MAC, use static IP's , etc.)

We use Windows 2016 AD domain, Windows 10 clients and Cisco devices if it helps.

Thanks !

Re: Machine authentication on Windows 10 without using Cisco ISE or similar solutions

Colby LeMaire — Thu, 23 Jul 2020 13:58:16 GMT

To authenticate the devices connecting to the network, you need to use 802.1x. With 802.1x, you need a Radius server of some sort. ISE is the Radius server. Microsoft also has NPS that is a Radius server. And I am sure there are a lot of free Radius servers out there.

Re: Machine authentication on Windows 10 without using Cisco ISE or similar solutions

mhdganji110 — Thu, 23 Jul 2020 14:28:43 GMT

Thanks but you are wrong. NPS and Windows 7 clients work without any problem (using 802.1X implementation). But on Windows 10, NAP agent is removed so you cannot send computer properties to the RADIUS server in order to make authentication. This is a common widely known problem on Windows 10 so we are forced to use other solutions that use an agent on the systems and connect to the related RADIUS like Cisco ISE.

Re: Machine authentication on Windows 10 without using Cisco ISE or similar solutions

Colby LeMaire — Thu, 23 Jul 2020 14:58:58 GMT

I am not wrong! You asked about authenticating the Windows 10 machines to prevent non-corporate devices from connecting to the network. 802.1x is your answer and only requires the Windows Native Supplicant on Windows 10, a network device that supports 802.1x, and a Radius server. Microsoft NPS is a Radius server.

You are wrong! You are confusing Network Access Protection (NAP) with 802.1x authentication. NAP is like Cisco ISE Posture. It sends details about the machine's health to NPS for consideration in access policies. That DOES require the NAP agent. Just like with Cisco ISE, posture requires the Anyconnect Posture agent. But 802.1x is a separate thing.

Re: Machine authentication on Windows 10 without using Cisco ISE or similar solutions

mhdganji110 — Thu, 23 Jul 2020 19:30:43 GMT

Dear Colby,

Let's make it simple. As a Microsoft term, NAP is the service controlling
dot1x authenticating and the agent is removed in Windows 10. So, Computer
authentication is not possible in windows 10 without any agent and just by
using local and native supplicant. Cisco ISE and AnyConnect (on clients)
can do the job. Now, to make this discussion go ahead, please just answer
yes or no to this question:

Is it possible to control and prevent non joined computers from accessing
network in windows 10 without the need of any extra 3rd party agent?
(RADIUS server is not important and can be NPS or anything else)

My answer is NO, cause the service and agent doing this (name it NAP or NAC
or anything) is removed from windows 10.

Is your answer a YES to my specific question?

Many thanks

Re: Machine authentication on Windows 10 without using Cisco ISE or similar solutions

mhdganji110 — Wed, 29 Jul 2020 16:53:32 GMT

Still stuck in the machine authentication problem and maybe these posts confirm that we need a 3rd Party agent on windows 10 because of lacking NAP.

https://social.technet.microsoft.com/Forums/office/en-US/1b027cc1-6b97-4779-b8e9-ced71ed93651/can-nps-force-computer-and-user-authentication?forum=winserverNAP

Enabling NAP will give you the option to combine user and machine groups in the same policy with an AND statement.

https://social.technet.microsoft.com/Forums/ie/en-US/bb886ded-19b5-4b58-9b39-dd572cbe4066/win10-8021x-profile-user-or-computer-authentication?forum=winserverNAP

I have the same issue that windows 10 unable to do machine authentication

https://social.technet.microsoft.com/Forums/windowsserver/en-US/1b027cc1-6b97-4779-b8e9-ced71ed93651/can-nps-force-computer-and-user-authentication?forum=winserverNAP

Cisco ACS performs this duty by checking that the user authentication is precluded by a computer authentication, and if there is no computer authentication the user auth is rejected. The feature is called Machine Access Restrictions, though i'm not sure exactly how it works I assume it checks the client MAC address against the host and user auth request.

https://social.technet.microsoft.com/Forums/ie/en-US/5792931b-560f-440a-9ee0-4e03d165decd/windows-10-client-machine-information-in-nps-due-to-missing-nap-client?forum=winserverNAP

For other people that will read this, I finally managed to resolve my issue using:
Clearpass Policy Manager from Aruba Networks.

Re: Machine authentication on Windows 10 without using Cisco ISE or similar solutions

mhdganji110 — Wed, 29 Jul 2020 16:56:41 GMT

I think as you said, NAP sends information about machine health AND as a matter of fact, basic information about it including data that shows and verifies if it is a corporate joined to AD system. Will be happy and thankful to know how do you think about it.

Re: Machine authentication on Windows 10 without using Cisco ISE or similar solutions

Colby LeMaire — Wed, 29 Jul 2020 17:13:44 GMT

As I said before, 802.1x authentication is separate from any posture/health checking. In Windows, the native supplicant (Wired AutoConfig or Wireless AutoConfig) can do machine authentication with 802.1x. The wireless supplicant is always enabled by default. For the Wired side, you need to configure "Wired AutoConfig" to start automatically. Once you do that, then you will see another tab show up on your network adapter properties where you can configure "Authentication." If you choose PEAP MS-CHAPv2 as your EAP protocol, then the computer will send its AD computer credentials to authenticate. So as long as the computer is joined to the domain, it will authenticate successfully. Assuming your Radius server is configured properly. So if you are just looking for authentication, then you do not need any third-party agent.

If you want to check health status or posture (i.e. anti-virus installed and up-to-date), then that is where you need an agent such as Anyconnect Posture Agent if using ISE.

That is what I was trying to explain to you from the beginning.

Re: Machine authentication on Windows 10 without using Cisco ISE or similar solutions

mhdganji110 — Wed, 29 Jul 2020 17:57:42 GMT

Hi Colby,

Thanks for your help and points. I've just set up a lab with a Windows 2k19 hosting NPAS role, Win 10, and a Catalyst 2960 Cisco switch. I'm moving forward on this subject and will update the topic.

Regards

Re: Machine authentication on Windows 10 without using Cisco ISE or similar solutions

mhdganji110 — Fri, 31 Jul 2020 15:07:47 GMT

Dear Colby

Let me say that

It WORKED !!

Although there are still so many problems and imperfections but starting the service (Which I wonder why is not in automatic state by default) I was able to prevent non corporate machines from gaining access to the network.

There are still issues like this which may be related to Cisco switch or NPS configuration:

- Computer and then User authentication not working, (Both in the order mentioned)

- Computer information is sent as null. The user id is sent as the computer name

- Can't figure out a way to allow the non corporate computers to gain access and then decide about them based on different criteria (even when no preventive policy is set against a port. For instance, when I just set the rule to "Ethernet on the switch port side device or a simple day time restriction which is always true) to let a non joined PC to be able to connect but it does not work

I'll work on this and guess that it should move forward on Microsoft forums.

Regards,