Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1739
Views
5
Helpful
4
Replies

Cisco ISE 3.1 (patch3) speaks with Active directory using ntlmv1

Go to solution
milos_p
Level 1
Level 1

‎08-10-2022 01:44 AM

Hi guys,

I am getting logs on DC that there is NTLMv1 communication from ISE server:

I can see this communication happening when Windows computer authenticates to ISE from WiFi network using PEAP (EAP-MSCHAPv2) with computer authentication. Looks like ISE takes MSCHAPv2 information and sends it to domain controller as NTLMv1 request, and I want it to be NTLMv2 due to the company security policy.

part of log: Protocol: Ntlm, IsNtlmV1: True, NtlmV1Count: 1

Apart from settings in Passive ID section to use ntlmv1 or ntlmv2 (ntlmv2 is checked, but we are NOT using passive ID), I cannot find anywhere to specify/force Cisco ISE to use ntlmv2 and not ntlmv1 when it speaks with DC to authenticate users coming from 802.1x networks.

Is there a way to force the use of ntlmv2 towards DCs, for EAP authentications (PEAP EAP-MSCHAPv2 in my case) coming from users?

Thanks a lot in advance!

Milos

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎08-10-2022 03:05 PM

MSCHAPv2 is NTLMv1 based. I'm not aware of a way to 'force' the protocol to use NTLMv2 when used with EAP, hence the known issues caused by MS Defender Credential Guard. Microsoft's recommendation is to use EAP-TLS instead.

View solution in original post

4 Replies 4

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎08-10-2022 03:05 PM

MSCHAPv2 is NTLMv1 based. I'm not aware of a way to 'force' the protocol to use NTLMv2 when used with EAP, hence the known issues caused by MS Defender Credential Guard. Microsoft's recommendation is to use EAP-TLS instead.

Go to solution
milos_p
Level 1
Level 1
In response to Greg Gibbs

‎08-11-2022 12:05 AM

Hi Greg,

 

Thanks for clarification, I assumed something like that is happening.

On the other side, although like you said MSCHAPv2 is by default NTLMv1 based, Microsoft enabled possibility in their RADIUS server (NPS) to use strictly NTLMv2 when NPS speaks with DC:

https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/rras-vpn-connections-fail-ms-chapv2-authentication

 

Is there some possibility like this in ISE, using Active Directory advanced tuning configuration?

Case is, this is big thing from Security Department perspective, as NTLMv1 raise some red flags.

 

Thanks a lot!

Milos

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to milos_p

‎08-11-2022 03:47 PM

The VPN use case is completely different than the EAP use case, hence, the specific phrasing I used when I said "I'm not aware of a way to 'force' the protocol to use NTLMv2 when used with EAP".

This is a limitation of the protocol and the client supplicant, which is not something any configuration in ISE can change.

0 Helpful

Go to solution
milos_p
Level 1
Level 1
In response to Greg Gibbs

‎08-12-2022 12:26 AM

Hi Greg,

I really was hoping there is some hidden/advanced parameter that can force ISE to use NTLMv2 for this case.

Thanks again for great explanation and discussion!

 

Regards,

Milos

0 Helpful
Customers Also Viewed These Support Documents