Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2628
Views
0
Helpful
1
Replies

Using Windows 10 with Credential Guard - AnyConnect Supplicant

Go to solution
daabruze
Cisco Employee
Cisco Employee

‎08-10-2016 04:27 PM

Team -

I'm with a customer this week and don't have a way to test for this question at the moment.

ISE v1.4 Patch 7

Like many Federal DOD customers, they have a Windows 10 Workstation STIG (STIG ID: WN10-CC-000075) that requires them enable the Credential Guard feature on Windows 10; which does not allow for PEAP-MSCHAPv2 Machine Authentication.

The simple answer is the one I'm currently pursuing; which is to have them disable the feature and continue using Machine Auth. They do not have the infrastructure to put valid certificates on the workstations for EAP-TLS.

I would like to know though, if they use the AnyConnect client as the supplicant, would that be a solution or is NTLM and Kerberos authentication (MSCHAPv2) still affected by enabling Credential Guard regardless of the supplicant being native or AnyConnect.

Thanks for any feedback.

Damon

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-10-2016 09:56 PM

Protect derived domain credentials with Credential Guard (Windows 10) says,

Credential Guard also does not allow unconstrained Kerberos delegation, NTLMv1, MS-CHAPv2, Digest, CredSSP, and Kerberos DES encryption.

...

  • If you are using Wi-Fi and VPN end points that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for Wi-Fi and VPN connections.

...


From what I understood, it implied certificate-based auth would be a must if this feature is enabled.

I will check with our teams and see whether anyone knows it differently. You could probably try EAP-GTC as the inner method.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-10-2016 09:56 PM

Protect derived domain credentials with Credential Guard (Windows 10) says,

Credential Guard also does not allow unconstrained Kerberos delegation, NTLMv1, MS-CHAPv2, Digest, CredSSP, and Kerberos DES encryption.

...

  • If you are using Wi-Fi and VPN end points that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for Wi-Fi and VPN connections.

...


From what I understood, it implied certificate-based auth would be a must if this feature is enabled.

I will check with our teams and see whether anyone knows it differently. You could probably try EAP-GTC as the inner method.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents