topic Re: Issue with Windows 10 and PEAP in Network Access Control

Issue with Windows 10 and PEAP

Igor.Dyakonov — Fri, 04 Sep 2020 18:20:17 GMT

Hello, community

We're experiencing a following issue with our ISE 2.7 (patch 2).

PEAP doesn't work if we don't save credentials manually.

We can't save credential for all our employees for an obvious reason of security. (We don't know each particular password and we can't run GPO either).

PEAP runs smoothly if we save credentials. Anyconnect NAM (EAP-FAST) also works great but we still need to be able to run native 802.1x on Windows 10 PCs.

We suspect it can be Windows 10 supplicant ( the version is 1703 build 15063.2108) . Should we apply some MSFT KB patches? If so which are those?

If anyone had this issue please comment.

Thank You!

Regards.

Re: Issue with Windows 10 and PEAP

Colby LeMaire — Sat, 05 Sep 2020 15:34:52 GMT

First thing is that your version of Windows 10 that you are running is End of Service. There have been quite a few versions since then. Check out the following page for more information on the Windows 10 versions and associated KB articles:

https://docs.microsoft.com/en-us/windows/release-information/

Are your computers joined to a domain? When you say PEAP doesn't work, can you provide more details? Is it a case of the computer having no access when the user is not logged in?

Re: Issue with Windows 10 and PEAP

Igor.Dyakonov — Sat, 05 Sep 2020 19:25:41 GMT

Hi, Colby

I'm aware that our PCs has EoS version of Windows 10. I can't do much there as it's not my decision.

Thank You for the link. Not sure whether we can still apply some dot1x related patches to our current Win10 or just upgrade to newer version of Win10. The last option "upgrade Win10" will be just too long to wait in our implementation of ISE in this moment.

Are your computers joined to a domain?

Yes, they are.

When you say PEAP doesn't work, can you provide more details?

PEAP (MSHCAP) doesn't work if we don't save credentials manually (screenshot in my previous post) however PEAP runs smoothly if we save credentials. We have tried to "Lock the user" and "Restart" Windows 10 but nothing helps.

So it's not that ISE has some issue it's rather supplicant PCs don't send user credentials. Running from switch "show auth sess int x/x" and doing some debug we can only see that dot1x is rather "running" or "stopped".

Here is a complete configuration of dot1x on a PC. Nothing special.

>>Is it a case of the computer having no access when the user is not logged in?

User always has an access because right now these ports run in open mode.

Re: Issue with Windows 10 and PEAP

Colby LeMaire — Sun, 06 Sep 2020 03:27:09 GMT

Ok, I see the issue now. It is not a problem with the supplicant at all. You are configured to do "User authentication" only. With Windows, the native supplicant does not have access to the user credentials until the user logs in. Or as in your case, you save the credentials that the supplicant should use before the user logs in. So that makes sense that you see 802.1x running or stopped because the supplicant won't respond unless it has credentials to send.

I highly recommend changing your supplicant configuration to "Computer authentication" so that you know the computers connecting are machines within your domain. And the computers would be able to authenticate to the network before the user logs in.

Re: Issue with Windows 10 and PEAP

Greg Gibbs — Mon, 07 Sep 2020 00:36:27 GMT

Is the screenshot above that shows the 'Automatically use my Windows logon name...' option ticked from a working or non-working PC? If this is from a working PC, you might be running into an issue with Credential Guard being enabled for the non-working PCs.

See this post for more info on Credential Guard.

Re: Issue with Windows 10 and PEAP

Igor.Dyakonov — Mon, 07 Sep 2020 12:29:38 GMT

>>With Windows, the native supplicant does not have access to the user credentials until the user logs in.

The native supplicant should have access to the user credential because of enabled checkbox "Automatically use my Windows logon name and password". Even if it hasn't a user credentials Windows should presenet a Security pop-up window like this https://filestore.community.support.microsoft.com/api/images/112e975c-62f9-4bb0-97e6-2b8cbc7dcaa5

>>I highly recommend changing your supplicant configuration to "Computer authentication" so that you know the computers connecting are machines within your domain. And the computers would be able to authenticate to the network before the user logs in.

I've already ran different options as "Computer auth" or "User or Computer auth" . Computer authenticates but user doesn't. We still need to authenticate user.

Re: Issue with Windows 10 and PEAP

Igor.Dyakonov — Mon, 07 Sep 2020 12:37:10 GMT

>>Is the screenshot above that shows the 'Automatically use my Windows logon name...' option ticked from a working or non-working PC?

Non-working PC. I have tried to disable/enable this option but it dind't help.Even if it hasn't a user credentials Windows should presenet a Security pop-up window like this https://filestore.community.support.microsoft.com/api/images/112e975c-62f9-4bb0-97e6-2b8cbc7dcaa5

But it doesn't show this popup

>>you might be running into an issue with Credential Guard being enabled for the non-working PCs.

Yes, it's clearly something to do with Windows credentials. I've disabled every option related to Credential Guard. Still it didn't help.

Re: Issue with Windows 10 and PEAP

Mahendervyas35821 — Thu, 21 Oct 2021 10:58:07 GMT

Hi ,

Did you got any solution for this , I face same issue but not getting any solution for this .

Please let me know if you got solution for this.

Re: Issue with Windows 10 and PEAP

leejasper — Tue, 14 Mar 2023 00:01:22 GMT

Hello Colby:

This was very helpful information. I was experiencing similar issues however now I am my users are have to accept multiple user certificates and in the event they log into a new machine, they again have to accept the cert. If I set the supplicant to Computer Authentcation only, does that resolve that issue as they would only accept the cert presented to them by ISE during initial access.

Re: Issue with Windows 10 and PEAP

isravr — Wed, 03 May 2023 23:57:33 GMT

>>With Windows, the native supplicant does not have access to the user credentials until the user logs in.

My question is:

NAM (supplicant Cisco) does have it?