Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2383
Views
0
Helpful
3
Replies

Cisco ISE 2.6 - User and Machine Authentication - RDP Connection

Go to solution
pgiouvanellis
Level 1
Level 1

‎10-27-2021 06:30 AM

Hello ,

 

We are trying to implement 802.1x (wired) and we decide to perform User and Machine Authentication.

 

We perform tests and as far as the users logged in from office it work working properly.

 

We have an issue when users are trying to RDP to their PCs from home .

 

We get machine authentication but no user authentication.

I am aware that there is probably OS Limitation on Windows and we need NAM Agent to accomplish that but we tried to use TEAP to windows 10 with same result .

 

Is there anyone manage to perform user and machine authentication when RDP on PC with Windows Supplicant .

 

I just do not want to waste any time in tests , anything i have tried i get only machine authentication and not user with Windows Supplicant.

 

Please for your feedback.

 

Thank You ,

Palaiologos 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-27-2021 08:50 AM - edited ‎10-27-2021 08:51 AM

A few things to consider/know:

-When using NAM, by default, enforces single user logon.  To change this to allow multiple reference the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}

 

To configure single or multiple user logon, add a DWORD named EnforceSingleLogon (this should already be there), and give it a value of 1 or 0.

1 restricts logon to a single user.

0 allows multiple users to be logged on.

 

-When NAM is installed, it will require you to enter creds twice to establish a RDP session.  First for pre-login auth for Windows, second for the remote machine cred provider.

 

-TEAP support began with ISE2.7 which would allow you to utilize eap-chaining with native supplicant.  See here for more: Using TEAP for EAP Chaining – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

 

-Have you considered dumping clients into a restricted network when eapchaining result is comp pass+user fail? Not sure what your use case is, but you could steer clients to a parking lot that would still allow some sort of control/access based on that result via authz conditions in your radius policy. 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-27-2021 08:50 AM - edited ‎10-27-2021 08:51 AM

A few things to consider/know:

-When using NAM, by default, enforces single user logon.  To change this to allow multiple reference the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}

 

To configure single or multiple user logon, add a DWORD named EnforceSingleLogon (this should already be there), and give it a value of 1 or 0.

1 restricts logon to a single user.

0 allows multiple users to be logged on.

 

-When NAM is installed, it will require you to enter creds twice to establish a RDP session.  First for pre-login auth for Windows, second for the remote machine cred provider.

 

-TEAP support began with ISE2.7 which would allow you to utilize eap-chaining with native supplicant.  See here for more: Using TEAP for EAP Chaining – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

 

-Have you considered dumping clients into a restricted network when eapchaining result is comp pass+user fail? Not sure what your use case is, but you could steer clients to a parking lot that would still allow some sort of control/access based on that result via authz conditions in your radius policy. 

 

0 Helpful

Go to solution
keithcclark71
Level 3
Level 3
In response to Mike.Cifelli

‎11-05-2021 04:29 AM

Mike I am sorry here that I can't really help with your post but rather my reply is more for learning here. Is NAM included with the Core package for anyconnect , is it like an Add-On like SBL that one can use? I am doing much of remediation form NIST 800-171 Compliance and have 2FA'd my remote users with Smart Card only access for VPN establishment and RDP access into the internal domain. In other words users cannot login remotely or on prem without smart cards and that also is the case for WIFI as I have WPA\Enterprise smart card only access allowed. I am now trying to better secure through 802.1x and wondering how to go about setting up NAM agent which I presume is a Cisco add on???

0 Helpful

Go to solution
keithcclark71
Level 3
Level 3
In response to keithcclark71

‎11-05-2021 04:33 AM

Also if you don't mind what exactly is Cisco ISE? I am using a version of firepower that I am using the legacy Cisco agent for an identity source that maps  usernames to IP addresses.  I believe ISE replaces the Cisco Agent so I wondered if there is better functionality with ISE and if it is something worthwhile to do.

0 Helpful
Customers Also Viewed These Support Documents