Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17346
Views
6
Helpful
10
Replies

windows 10 credential Guard issue

Go to solution
ggriesse@cisco.com
Cisco Employee
Cisco Employee

‎05-14-2018 12:11 AM

Hi all

Customer with predominately windows 10 install base .., current Auth schema is EAP-MSCHAPv2

Their standard policy requires Credential Guard to be on by default on the win 10 desktops , from what i have found this seems to disable the ability to use EAP-MSCHAv2 and forces EAP-TLS ...


Other than disabling Credential Guard , is there a way to get this to work ?


This article explains the issue : http://www.iphase.dk/2017/08/14/windows-10-credential-guard-and-cisco-ise-conflicts/

More : http://www.neighborgeek.net/2016/08/windows-10-credential-guard-breaks-wifi.html

Thx

Greg

3 people had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to nir-r

‎05-14-2018 02:05 PM

I think it will depend where the credentials are stored. If fetched from Windows store, then expect same challenge as native supplicant with PEAP-EAP-MSCHAPv2.

Regarding "So Disabling Credential guard is probably out for the customer .. the see it as a risk", make sure customer understands this is NOT a Cisco ISE limitation but due to security feature that impacts Microsoft's own native supplicant.  Certainly the more common workaround for customers wishing to keep Credential Guard is to implement EAP-TLS with certs.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
nir-r
Level 4
Level 4

‎05-14-2018 01:20 AM

1.      Disable Credential Guard

On the host operating system, click Start > Run, type gpedit.msc, and click Ok. The Local group Policy Editor opens.

Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security.

Select Disabled.

2.      Use AnyConnect NAM instead of Windows 10  802.1x supplicant

Preview file
164 KB
0 Helpful

Go to solution
ggriesse@cisco.com
Cisco Employee
Cisco Employee
In response to nir-r

‎05-14-2018 07:26 AM

Ok

So Disabling Credential guard is probably out for the customer .. the see it as a risk

If we go with Anyconnect NAM will it allow Eap-MSchapv2 EVEN with CG enabled on OS ?

0 Helpful

Go to solution
ccubeman
Level 1
Level 1
In response to ggriesse@cisco.com

‎05-14-2018 07:45 AM

You cannot do EAP-PEAP with Credential Guard enabled.  We have a growing Windows10 implementation, and have switched to using machine/user certificates for authentication using EAP-TLS.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to ggriesse@cisco.com

‎05-14-2018 07:46 AM

I do not believe NAM able to use password-based auth under the circumstance.

0 Helpful

Go to solution
nir-r
Level 4
Level 4
In response to hslai

‎05-14-2018 08:05 AM

It is working for me with EAP-FAST (EAP-MSCHAPv2)

Preview file
92 KB
0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to nir-r

‎05-14-2018 02:05 PM

I think it will depend where the credentials are stored. If fetched from Windows store, then expect same challenge as native supplicant with PEAP-EAP-MSCHAPv2.

Regarding "So Disabling Credential guard is probably out for the customer .. the see it as a risk", make sure customer understands this is NOT a Cisco ISE limitation but due to security feature that impacts Microsoft's own native supplicant.  Certainly the more common workaround for customers wishing to keep Credential Guard is to implement EAP-TLS with certs.

0 Helpful

Go to solution
ccubeman
Level 1
Level 1
In response to Craig Hyps

‎05-14-2018 02:59 PM

This was my experience.   EAP-PEAP with MSCHAPv2 is right out.  EAP-TLS with machine/user certs was the only manageable method.  I will note we use the native supplicant and not NAM. 

0 Helpful

Go to solution
Guillaume BARBEROT
Level 1
Level 1
In response to Craig Hyps

‎04-03-2019 12:05 AM

Thanks Craig for the response, my only concern moving to EAP-TLS is using computer + user certificates

how can you provision user certs when first logon on the computer ?

we would like to have user certs for user based auth (like using anyconnect ISE posture)

 

- pre-provisionning user certs is not possible before user logs in

- when using "shared" computers with each person login => then this "first logon" use case will be very common, and should not force to have a special process to get user cert on computer.

 

1/ Does Anyconnect NAM have some advantages over microsoft native supplicant for this particular issue ?

2/ What does Cisco recommend as workaround to microsoft "credential guard" feature (which i understand is not Cisco's responsability), do you have a "straight" response to that issue customers are facing ?

 

Thanks

Guillaume

 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Guillaume BARBEROT

‎04-03-2019 06:56 AM

I recommend a posting in the anyconnect community
0 Helpful

Go to solution
andy!doesnt!like!uucp
Spotlight
Spotlight
In response to Guillaume BARBEROT

‎04-09-2019 09:11 AM - edited ‎04-09-2019 09:24 AM

hello Guill

in case it's still actual for u, just fallback to "Microsoft: SmartCard or other blah-blah" on the client. It will effectively turn PC to request EAP-TLS-only authentication. Meantime configuring ISE for EAP-TLS only is quite straitforward.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents