topic Re: Cisco ISE integration with Microsoft Local Administrator password in Network Access Control

Cisco ISE integration with Microsoft Local Administrator password solution (Laps)

mnabeel@ciso.com — Wed, 03 Jul 2019 17:37:56 GMT

Does anyone had experience of Microsoft Local Administrator Password Solution (LAPS) with Cisco ISE. One of my banking customer is managing user local admin account using Laps for the helpdesk operation. Customer system team are using local admin account where passwords are randomly generated.

Is there any integrations or alternate ?

Re: Cisco ISE integration with Microsoft Local Administrator password solution (Laps)

hslai — Wed, 03 Jul 2019 19:32:11 GMT

I am unable to think of any ISE feature needing integrations with LAPS. Please let us know if your customer using anything specifics and encountering interaction issues between ISE and LAPS.

Re: Cisco ISE integration with Microsoft Local Administrator password solution (Laps)

Yahya Lababidi — Tue, 03 Mar 2020 17:42:12 GMT

Hello,

Yes, there is a reason to integrate LAPS with ISE. A LAPS user (local admin) needs a way to authenticate through 802.1x to pass through and gain wireless connection to 802.1x based wireless connections. Today, when a local user logs in to a domain computer, and with the dual auth (computer and user) profile enabled in ISE, that computer loses connection to the 802.1x based wireless network, because there is not a way to introduce that LAPS user into ISE with the randomized password.

Thanks,

Re: Cisco ISE integration with Microsoft Local Administrator password solution (Laps)

Cristian Matei — Tue, 03 Mar 2020 19:32:30 GMT

Hi,

On the Windows side, the random generated password is stored in the AD schema as an attribute to the computer object, so the ISE implementation for LAPS could be challenging.

What you can do is the following:

- Use a GPO so that when LAPS is being used, 802.1x is using computer only authentication, and have an appropriate ISE authorization profile with needed but restricted network access (regular users should never match this, as the GPO forces computer and user authentication in the 802.1x native supplicant profile and they can't modify it)

- Use a GPO so that when LAPS is being used, 802.1x is using both computer and user based authentication, use EAP-TLS and have a certificate in the LAPS user's profile that has something different than regular user certificates, and use it as condition in your ISE authorization profile

Regards,

Cristian Matei.

Re: Cisco ISE integration with Microsoft Local Administrator password solution (Laps)

Yahya Lababidi — Wed, 04 Mar 2020 02:01:41 GMT

Thanks for the quick response.

Do you have some example links that explain the GPO part of both cases. I did a bit of search and the results were general and didn't pertain to this specific case.

Thanks again!

Re: Cisco ISE integration with Microsoft Local Administrator password solution (Laps)

Cristian Matei — Wed, 04 Mar 2020 09:33:29 GMT

Hi,

Here's astep-by-step example for the GPO part.

https://www.raydbg.com/2017/How-to-Configure-Wired-Authentication-Settings-via-GPO/

Regards,

Cristian Matei.

Re: Cisco ISE integration with Microsoft Local Administrator password solution (Laps)

SHABEEB KUNHIPOCKER — Tue, 10 Mar 2020 15:27:25 GMT

Hi,

I have the same requirement in a NAM environment. Is it possible to do this ?.

Thanks and Regards

Shabeeb

Re: Cisco ISE integration with Microsoft Local Administrator password solution (Laps)

Cristian Matei — Tue, 10 Mar 2020 16:36:41 GMT

Hi,

If you're speaking about using the NAM module of AnyConnect, yes you can achieve the options i highlighted above, by using NAM profiles.

Regards,

Cristian Matei.

Re: Cisco ISE integration with Microsoft Local Administrator password solution (Laps)

SHABEEB KUNHIPOCKER — Thu, 12 Mar 2020 09:24:38 GMT

Hi,

We already have NAM profile for wired and wireless setup for our users. The profiles are using EAP-FAST so that we can do EAP-Chaining for our users. The LAPS is used by the user support personnel to access the machines remotely in case of any issues reported and they need to have local admin privileges on the machine. My question is that without altering the current setup of EAP-Chaining is there any way that we can have the LAPS setup accommodated only for the local admin account?.

If I configure two wired profiles in Anyconnect NAM, which profile it will use when it detects a network connection?. Is there any conditions I can write in the NAM profile (using profile editor) itself so that it can choose specific profile based on the condition?.

Thanks

Shabeeb

Thanks and Regards

Re: Cisco ISE integration with Microsoft Local Administrator password solution (Laps)

Cristian Matei — Thu, 12 Mar 2020 10:45:01 GMT

Hi,

While using EAP-FAST and EAP-Chaining, if your inner method is EAP-TLS, you can achieve the same thing, have your LAPS accounts be provisioned with a certificate which has a unique filed that you can match in your ISE policies. (long lifetime cause you're gonna rarely use this account on all devices, and you don't want it to expire, so when the LAPS connects it is not allowed network access). This one different field in the certificate is required only if you want a different authorization to be pushed from ISE for the LAPS users. We have a problem with the LAPS password not being able to be validated by ISE, thus we don't use EAP-MSCHAPv2 as the inner method, but use EAP-TLS as the inner method.

Regards,

Cristian Matei.

Re: Cisco ISE integration with Microsoft Local Administrator password

peter.matuska1 — Thu, 18 Apr 2024 14:07:35 GMT

any easy solution for this in 2024? 🙂