cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2378
Views
1
Helpful
10
Replies
Cisco Employee

windows 10 credential Guard issue

Hi all

Customer with predominately windows 10 install base .., current Auth schema is EAP-MSCHAPv2

Their standard policy requires Credential Guard to be on by default on the win 10 desktops , from what i have found this seems to disable the ability to use EAP-MSCHAv2 and forces EAP-TLS ...


Other than disabling Credential Guard , is there a way to get this to work ?


This article explains the issue : http://www.iphase.dk/2017/08/14/windows-10-credential-guard-and-cisco-ise-conflicts/

More : http://www.neighborgeek.net/2016/08/windows-10-credential-guard-breaks-wifi.html

Thx

Greg

1 ACCEPTED SOLUTION

Accepted Solutions
Advocate

Re: windows 10 credential Guard issue

I think it will depend where the credentials are stored. If fetched from Windows store, then expect same challenge as native supplicant with PEAP-EAP-MSCHAPv2.

Regarding "So Disabling Credential guard is probably out for the customer .. the see it as a risk", make sure customer understands this is NOT a Cisco ISE limitation but due to security feature that impacts Microsoft's own native supplicant.  Certainly the more common workaround for customers wishing to keep Credential Guard is to implement EAP-TLS with certs.

10 REPLIES 10
Enthusiast

Re: windows 10 credential Guard issue

1.      Disable Credential Guard

On the host operating system, click Start > Run, type gpedit.msc, and click Ok. The Local group Policy Editor opens.

Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security.

Select Disabled.

2.      Use AnyConnect NAM instead of Windows 10  802.1x supplicant

Cisco Employee

Re: windows 10 credential Guard issue

Ok

So Disabling Credential guard is probably out for the customer .. the see it as a risk

If we go with Anyconnect NAM will it allow Eap-MSchapv2 EVEN with CG enabled on OS ?

Beginner

Re: windows 10 credential Guard issue

You cannot do EAP-PEAP with Credential Guard enabled.  We have a growing Windows10 implementation, and have switched to using machine/user certificates for authentication using EAP-TLS.

Cisco Employee

Re: windows 10 credential Guard issue

I do not believe NAM able to use password-based auth under the circumstance.

Enthusiast

Re: windows 10 credential Guard issue

It is working for me with EAP-FAST (EAP-MSCHAPv2)

Advocate

Re: windows 10 credential Guard issue

I think it will depend where the credentials are stored. If fetched from Windows store, then expect same challenge as native supplicant with PEAP-EAP-MSCHAPv2.

Regarding "So Disabling Credential guard is probably out for the customer .. the see it as a risk", make sure customer understands this is NOT a Cisco ISE limitation but due to security feature that impacts Microsoft's own native supplicant.  Certainly the more common workaround for customers wishing to keep Credential Guard is to implement EAP-TLS with certs.

Beginner

Re: windows 10 credential Guard issue

This was my experience.   EAP-PEAP with MSCHAPv2 is right out.  EAP-TLS with machine/user certs was the only manageable method.  I will note we use the native supplicant and not NAM. 

Re: windows 10 credential Guard issue

Thanks Craig for the response, my only concern moving to EAP-TLS is using computer + user certificates

how can you provision user certs when first logon on the computer ?

we would like to have user certs for user based auth (like using anyconnect ISE posture)

 

- pre-provisionning user certs is not possible before user logs in

- when using "shared" computers with each person login => then this "first logon" use case will be very common, and should not force to have a special process to get user cert on computer.

 

1/ Does Anyconnect NAM have some advantages over microsoft native supplicant for this particular issue ?

2/ What does Cisco recommend as workaround to microsoft "credential guard" feature (which i understand is not Cisco's responsability), do you have a "straight" response to that issue customers are facing ?

 

Thanks

Guillaume

 

 

Cisco Employee

Re: windows 10 credential Guard issue

I recommend a posting in the anyconnect community
Highlighted
Beginner

Re: windows 10 credential Guard issue

hello Guill

in case it's still actual for u, just fallback to "Microsoft: SmartCard or other blah-blah" on the client. It will effectively turn PC to request EAP-TLS-only authentication. Meantime configuring ISE for EAP-TLS only is quite straitforward.