topic Re: Cisco ISE integrates with Windows Hello for Business in Network Access Control

Cisco ISE integrates with Windows Hello for Business

oumodom — Thu, 18 Jul 2024 04:09:24 GMT

Hello Cisco ISE lover,

I have plan for Cisco ISE (low impact mode) integrates with Windows Hello for business , in the term of authentication (User first Log-on with PIN or Biometric finger scan/Facial).

By feasibility study, we use EAP-FAST [TLS (Machine)+MSCHAPv2(User Authenticate)]
Has anyone experienced this use case, or any suggestion?

Re: Cisco ISE integrates with Windows Hello for Business

ccieexpert — Thu, 18 Jul 2024 06:07:16 GMT

i would suggest using TEAP

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

you can use cert for machine and user/password for user or cert for both..

Re: Cisco ISE integrates with Windows Hello for Business

Greg Gibbs — Thu, 18 Jul 2024 22:28:41 GMT

You cannot use MSCHAPv2 in conjunction with Windows Hello. The supplicant has no way to take the Hello input (PIN, for example) and translate that to a username/password to present in the 802.1x response.

If you want to use Windows Hello, you must use a certificate-based authentication - EAP-TLS, TEAP(EAP-TLS)

Re: Cisco ISE integrates with Windows Hello for Business

oumodom — Fri, 19 Jul 2024 02:38:06 GMT

Thank for your solution, and great idea which relies on certificate.
what about challenging with External Identity like AD to authenticate trusted machine/user identity?

Re: Cisco ISE integrates with Windows Hello for Business

ccieexpert — Fri, 19 Jul 2024 03:46:36 GMT

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html

the certificate identity obtained from the cert, which is generally UPN user@domain.com can be be looked up in AD/LDAP to verify that is a valid user,and user/group attributes can be retrieved for authorization to provide differentiated authorization policy per group (or user).

Re: Cisco ISE integrates with Windows Hello for Business

ccieexpert — Fri, 19 Jul 2024 03:47:50 GMT

i havent tested with windows hello, but i think if you disabled use windows login credentials for dot1x , it could prompt the user for creds ? ofcourse, certs are the best

Re: Cisco ISE integrates with Windows Hello for Business

oumodom — Fri, 19 Jul 2024 04:40:40 GMT

As my experience, UPN define the most is machine under domain joined after selected source sequence, not for user@domain.com in AD.

Correct me if i am wrong.

Re: Cisco ISE integrates with Windows Hello for Business

Greg Gibbs — Fri, 19 Jul 2024 22:32:51 GMT

It depends on how the supplicant is configured. See this explanation and example...
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635#toc-hId-296059835

I have Win 10 and 11 instances in my lab that use TEAP(EAP-TLS) or EAP-TLS with User or Computer authentication and they work perfectly with Windows Hello PIN login.

Re: Cisco ISE integrates with Windows Hello for Business

ccieexpert — Sat, 20 Jul 2024 02:32:33 GMT

UPN is used a lot for user as well and for Azure / Entra, that is generally a requirement.