cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2741
Views
0
Helpful
3
Replies

Cisco ISE 2.6 - User and Machine Authentication - RDP Connection

pgiouvanellis
Level 1
Level 1

Hello ,

 

We are trying to implement 802.1x (wired) and we decide to perform User and Machine Authentication.

 

We perform tests and as far as the users logged in from office it work working properly.

 

We have an issue when users are trying to RDP to their PCs from home .

 

We get machine authentication but no user authentication.

I am aware that there is probably OS Limitation on Windows and we need NAM Agent to accomplish that but we tried to use TEAP to windows 10 with same result .

 

Is there anyone manage to perform user and machine authentication when RDP on PC with Windows Supplicant .

 

I just do not want to waste any time in tests , anything i have tried i get only machine authentication and not user with Windows Supplicant.

 

Please for your feedback.

 

Thank You ,

Palaiologos 

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni

A few things to consider/know:

-When using NAM, by default, enforces single user logon.  To change this to allow multiple reference the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}

 

To configure single or multiple user logon, add a DWORD named EnforceSingleLogon (this should already be there), and give it a value of 1 or 0.

1 restricts logon to a single user.

0 allows multiple users to be logged on.

 

-When NAM is installed, it will require you to enter creds twice to establish a RDP session.  First for pre-login auth for Windows, second for the remote machine cred provider.

 

-TEAP support began with ISE2.7 which would allow you to utilize eap-chaining with native supplicant.  See here for more: Using TEAP for EAP Chaining – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

 

-Have you considered dumping clients into a restricted network when eapchaining result is comp pass+user fail? Not sure what your use case is, but you could steer clients to a parking lot that would still allow some sort of control/access based on that result via authz conditions in your radius policy. 

 

View solution in original post

3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

A few things to consider/know:

-When using NAM, by default, enforces single user logon.  To change this to allow multiple reference the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}

 

To configure single or multiple user logon, add a DWORD named EnforceSingleLogon (this should already be there), and give it a value of 1 or 0.

1 restricts logon to a single user.

0 allows multiple users to be logged on.

 

-When NAM is installed, it will require you to enter creds twice to establish a RDP session.  First for pre-login auth for Windows, second for the remote machine cred provider.

 

-TEAP support began with ISE2.7 which would allow you to utilize eap-chaining with native supplicant.  See here for more: Using TEAP for EAP Chaining – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

 

-Have you considered dumping clients into a restricted network when eapchaining result is comp pass+user fail? Not sure what your use case is, but you could steer clients to a parking lot that would still allow some sort of control/access based on that result via authz conditions in your radius policy. 

 

Mike I am sorry here that I can't really help with your post but rather my reply is more for learning here. Is NAM included with the Core package for anyconnect , is it like an Add-On like SBL that one can use? I am doing much of remediation form NIST 800-171 Compliance and have 2FA'd my remote users with Smart Card only access for VPN establishment and RDP access into the internal domain. In other words users cannot login remotely or on prem without smart cards and that also is the case for WIFI as I have WPA\Enterprise smart card only access allowed. I am now trying to better secure through 802.1x and wondering how to go about setting up NAM agent which I presume is a Cisco add on???

Also if you don't mind what exactly is Cisco ISE? I am using a version of firepower that I am using the legacy Cisco agent for an identity source that maps  usernames to IP addresses.  I believe ISE replaces the Cisco Agent so I wondered if there is better functionality with ISE and if it is something worthwhile to do.