https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5257261#M594779 <P>I also forgot to mention that depending on what version of Windows server you have integrated with ISE, you might need to move away from WMI and use Passive ID agent due to the Microsoft patch KB5014692 that could break WMI:</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216512-configure-evt-based-identity-services-en.html#toc-hId-1804359549" target="_blank">Configure EVT-Based Identity Services Engine Passive ID Agent - Cisco</A></P> <P><A href="https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c" target="_blank">KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) - Microsoft Support</A></P> Wed, 05 Feb 2025 19:55:11 GMT Aref Alsouqi 2025-02-05T19:55:11Z https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5255719#M594719 <P>We are currently using ISE-PIC and WMI integration with Windows AD for user/IP mapping and it works fairly well with domain joined wired desktops. We now want users to use their domain creds with wireless devices and will implement Microsoft NPS for this. The NPS will authenticate users connecting to Meraki APs using RADIUS. My question is: What IP will be logged on the Windows domain controller log when this happens? Ideally the users' endpoint device IP will be logged and the ISE-PIC will map IP correctly. But I am not sure how this process works and if the Meraki AP IP or worse, NPS IP show in DC logs my plan will not work. Any ideas?</P><P>TIA,<BR />Diego</P><P>&nbsp;</P> Sat, 01 Feb 2025 19:19:00 GMT https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5255719#M594719 tato386 2025-02-01T19:19:00Z https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5256503#M594753 <P>What is the use-case for ISE-PIC?&nbsp; Also no one should be deploying username/password auth in 2025 for network auth.&nbsp; MS-CHAPv2 relies on broken RC4 encryption.&nbsp; Microsoft has blocked PEAP/MS-CHAPv2 by default in recent Windows versions because of this.&nbsp; You should use certificates with EAP-TLS or TEAP instead.</P> Tue, 04 Feb 2025 12:16:35 GMT https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5256503#M594753 ahollifield 2025-02-04T12:16:35Z https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5256683#M594762 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/199513">@ahollifield</a>&nbsp;you make good points but at this time our focus is eliminating PSK for wireless BYOD devices and getting PKI certs on those devices is not feasible at this time.</P> Tue, 04 Feb 2025 18:25:41 GMT https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5256683#M594762 tato386 2025-02-04T18:25:41Z https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5257213#M594776 <P>Why not?&nbsp; What is the use-case for giving unknown/unmanaged endpoints access to the protected network?</P> Wed, 05 Feb 2025 17:22:49 GMT https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5257213#M594776 ahollifield 2025-02-05T17:22:49Z https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5257259#M594778 <P>Is ISE integrated with a device that relies on ISE-PIC user-IP-mapping? if not, as&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/199513">@ahollifield</a>&nbsp;mentioned, what's the use case of ISE-PIC?</P> <P>ISE-PIC reads the AD security logs and parse the information from there, it doesn't care about how a user was logged into the AD, it just reads the logs and parse the contexts from there. The details in the security logs would be belonging to the users, not to the APs.</P> Wed, 05 Feb 2025 19:47:36 GMT https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5257259#M594778 Aref Alsouqi 2025-02-05T19:47:36Z https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5257261#M594779 <P>I also forgot to mention that depending on what version of Windows server you have integrated with ISE, you might need to move away from WMI and use Passive ID agent due to the Microsoft patch KB5014692 that could break WMI:</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216512-configure-evt-based-identity-services-en.html#toc-hId-1804359549" target="_blank">Configure EVT-Based Identity Services Engine Passive ID Agent - Cisco</A></P> <P><A href="https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c" target="_blank">KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) - Microsoft Support</A></P> Wed, 05 Feb 2025 19:55:11 GMT https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5257261#M594779 Aref Alsouqi 2025-02-05T19:55:11Z https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5257304#M594786 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/284594">@Aref Alsouqi</a>&nbsp;we currently have 8 fully patched Windows DCs and WMI from ISE-PIC is working well so luckily, we are not affected by KB5004442 and hopefully it will stay this way.&nbsp; The ISE-PIC is linked to an FMC, and we use user-IP mapping to match FMC rules and control access to web categories and apps.</P><P>We would now like to extend our existing web filter and access policies to employee BYOD devices and thus the integration with NPS.&nbsp; Of course, this will only work if the endpoint device IP is logged in the DCs login event log for the ISE user-IP mapping to correctly match FMC rules.</P> Wed, 05 Feb 2025 21:48:01 GMT https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5257304#M594786 tato386 2025-02-05T21:48:01Z https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5257594#M594802 <P>Thanks for the clarification. Then yes it should work with no problems at all because as we said, from ISE-PIC perspective it will still rely on the AD security logs and feed the FMC via pxGrid without caring about if that user connected via wired or wireless neither via NPS or other methods.</P> Thu, 06 Feb 2025 15:18:02 GMT https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5257594#M594802 Aref Alsouqi 2025-02-06T15:18:02Z https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5257784#M594812 <P>excellent.&nbsp; thanks for the clarification</P> Thu, 06 Feb 2025 20:08:01 GMT https://community.cisco.com/t5/network-access-control/meraki-radius-with-microsoft-nps-user-ip-in-domain-controller/m-p/5257784#M594812 tato386 2025-02-06T20:08:01Z