08-10-2022 01:44 AM
Hi guys,
I am getting logs on DC that there is NTLMv1 communication from ISE server:
I can see this communication happening when Windows computer authenticates to ISE from WiFi network using PEAP (EAP-MSCHAPv2) with computer authentication. Looks like ISE takes MSCHAPv2 information and sends it to domain controller as NTLMv1 request, and I want it to be NTLMv2 due to the company security policy.
part of log: Protocol: Ntlm, IsNtlmV1: True, NtlmV1Count: 1
Apart from settings in Passive ID section to use ntlmv1 or ntlmv2 (ntlmv2 is checked, but we are NOT using passive ID), I cannot find anywhere to specify/force Cisco ISE to use ntlmv2 and not ntlmv1 when it speaks with DC to authenticate users coming from 802.1x networks.
Is there a way to force the use of ntlmv2 towards DCs, for EAP authentications (PEAP EAP-MSCHAPv2 in my case) coming from users?
Thanks a lot in advance!
Milos
Solved! Go to Solution.
08-10-2022 03:05 PM
MSCHAPv2 is NTLMv1 based. I'm not aware of a way to 'force' the protocol to use NTLMv2 when used with EAP, hence the known issues caused by MS Defender Credential Guard. Microsoft's recommendation is to use EAP-TLS instead.
08-10-2022 03:05 PM
MSCHAPv2 is NTLMv1 based. I'm not aware of a way to 'force' the protocol to use NTLMv2 when used with EAP, hence the known issues caused by MS Defender Credential Guard. Microsoft's recommendation is to use EAP-TLS instead.
08-11-2022 12:05 AM
Hi Greg,
Thanks for clarification, I assumed something like that is happening.
On the other side, although like you said MSCHAPv2 is by default NTLMv1 based, Microsoft enabled possibility in their RADIUS server (NPS) to use strictly NTLMv2 when NPS speaks with DC:
Is there some possibility like this in ISE, using Active Directory advanced tuning configuration?
Case is, this is big thing from Security Department perspective, as NTLMv1 raise some red flags.
Thanks a lot!
Milos
08-11-2022 03:47 PM
The VPN use case is completely different than the EAP use case, hence, the specific phrasing I used when I said "I'm not aware of a way to 'force' the protocol to use NTLMv2 when used with EAP".
This is a limitation of the protocol and the client supplicant, which is not something any configuration in ISE can change.
08-12-2022 12:26 AM
Hi Greg,
I really was hoping there is some hidden/advanced parameter that can force ISE to use NTLMv2 for this case.
Thanks again for great explanation and discussion!
Regards,
Milos
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide