https://community.cisco.com/t5/network-access-control/cisco-ise-3-1-patch3-speaks-with-active-directory-using-ntlmv1/m-p/4667092#M576620 <P>Hi guys,</P><P>I am getting logs on DC that there is NTLMv1 communication from ISE server:</P><P><SPAN>I can see this communication happening when Windows computer authenticates to ISE from WiFi network using PEAP (EAP-MSCHAPv2) with computer authentication. Looks like </SPAN><SPAN>ISE takes MSCHAPv2 information and sends it to domain controller as NTLMv1 request, and I want it to be NTLMv2 due to the company security policy.<BR /></SPAN></P><P><SPAN>part of log: Protocol: Ntlm, IsNtlmV1: True, NtlmV1Count: 1</SPAN></P><P>Apart from settings in Passive ID section to use ntlmv1 or ntlmv2 (ntlmv2 is checked, but we are NOT using passive ID), I cannot find anywhere to specify/force Cisco ISE to use ntlmv2 and not ntlmv1 when it speaks with DC to authenticate users coming from 802.1x networks.</P><P>Is there a way to force the use of ntlmv2 towards DCs, for EAP authentications (<SPAN>PEAP EAP-MSCHAPv2</SPAN> in my case) coming from users?</P><P><SPAN>Thanks a lot in advance!</SPAN></P><P>Milos</P><P>&nbsp;</P> Wed, 10 Aug 2022 08:44:11 GMT milos_p 2022-08-10T08:44:11Z https://community.cisco.com/t5/network-access-control/cisco-ise-3-1-patch3-speaks-with-active-directory-using-ntlmv1/m-p/4667092#M576620 <P>Hi guys,</P><P>I am getting logs on DC that there is NTLMv1 communication from ISE server:</P><P><SPAN>I can see this communication happening when Windows computer authenticates to ISE from WiFi network using PEAP (EAP-MSCHAPv2) with computer authentication. Looks like </SPAN><SPAN>ISE takes MSCHAPv2 information and sends it to domain controller as NTLMv1 request, and I want it to be NTLMv2 due to the company security policy.<BR /></SPAN></P><P><SPAN>part of log: Protocol: Ntlm, IsNtlmV1: True, NtlmV1Count: 1</SPAN></P><P>Apart from settings in Passive ID section to use ntlmv1 or ntlmv2 (ntlmv2 is checked, but we are NOT using passive ID), I cannot find anywhere to specify/force Cisco ISE to use ntlmv2 and not ntlmv1 when it speaks with DC to authenticate users coming from 802.1x networks.</P><P>Is there a way to force the use of ntlmv2 towards DCs, for EAP authentications (<SPAN>PEAP EAP-MSCHAPv2</SPAN> in my case) coming from users?</P><P><SPAN>Thanks a lot in advance!</SPAN></P><P>Milos</P><P>&nbsp;</P> Wed, 10 Aug 2022 08:44:11 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-3-1-patch3-speaks-with-active-directory-using-ntlmv1/m-p/4667092#M576620 milos_p 2022-08-10T08:44:11Z https://community.cisco.com/t5/network-access-control/cisco-ise-3-1-patch3-speaks-with-active-directory-using-ntlmv1/m-p/4667474#M576625 <P>MSCHAPv2 is NTLMv1 based. I'm not aware of a way to 'force' the protocol to use NTLMv2 when used with EAP, hence the known issues caused by <A href="https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-considerations" target="_blank" rel="noopener">MS Defender Credential Guard</A>. Microsoft's recommendation is to use EAP-TLS instead.</P> Wed, 10 Aug 2022 22:05:35 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-3-1-patch3-speaks-with-active-directory-using-ntlmv1/m-p/4667474#M576625 Greg Gibbs 2022-08-10T22:05:35Z https://community.cisco.com/t5/network-access-control/cisco-ise-3-1-patch3-speaks-with-active-directory-using-ntlmv1/m-p/4667649#M576626 <P>Hi Greg,</P><P>&nbsp;</P><P>Thanks for clarification, I assumed something like that is happening.</P><P>On the other side, although like you said MSCHAPv2 is by default NTLMv1 based, Microsoft enabled possibility in their RADIUS server (NPS) to use strictly NTLMv2 when NPS speaks with DC:</P><P><A href="https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/rras-vpn-connections-fail-ms-chapv2-authentication" target="_blank">https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/rras-vpn-connections-fail-ms-chapv2-authentication</A></P><P>&nbsp;</P><P>Is there some possibility like this in ISE, using Active Directory advanced tuning configuration?</P><P>Case is, this is big thing from Security Department perspective, as NTLMv1 raise some red flags.</P><P>&nbsp;</P><P>Thanks a lot!</P><P>Milos</P> Thu, 11 Aug 2022 07:05:50 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-3-1-patch3-speaks-with-active-directory-using-ntlmv1/m-p/4667649#M576626 milos_p 2022-08-11T07:05:50Z https://community.cisco.com/t5/network-access-control/cisco-ise-3-1-patch3-speaks-with-active-directory-using-ntlmv1/m-p/4668039#M576639 <P>The VPN use case is completely different than the EAP use case, hence, the specific phrasing I used when I said "I'm not aware of a way to 'force' the protocol to use NTLMv2 <STRONG>when used with EAP</STRONG>".</P> <P>This is a limitation of the protocol and the client supplicant, which is not something any configuration in ISE can change.</P> Thu, 11 Aug 2022 22:47:18 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-3-1-patch3-speaks-with-active-directory-using-ntlmv1/m-p/4668039#M576639 Greg Gibbs 2022-08-11T22:47:18Z https://community.cisco.com/t5/network-access-control/cisco-ise-3-1-patch3-speaks-with-active-directory-using-ntlmv1/m-p/4668302#M576647 <P>Hi Greg,</P><P>I really was hoping there is some hidden/advanced parameter that can force ISE to use NTLMv2 for this case.</P><P>Thanks again for great explanation and discussion!</P><P>&nbsp;</P><P>Regards,</P><P>Milos</P> Fri, 12 Aug 2022 07:26:29 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-3-1-patch3-speaks-with-active-directory-using-ntlmv1/m-p/4668302#M576647 milos_p 2022-08-12T07:26:29Z