Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1603
Views
0
Helpful
2
Replies

Cisco ISE and Windows 10 Self Service Password Recovery issue

TimPatrick-ADS
Level 1
Level 1

‎02-25-2020 01:40 PM

We are running Cisco ISE 2.4.0.357 patch 6. In my ISE policy set I have the following rule options (all give the same access for now)

 

Machine and User Cert

Machine only Cert

User only Cert

User AD only

Machine in AD only

 

We are using the native Windows supplicant configured for Machine or User

 

This has worked well up until the Windows 10 roll out and the introduction of the Windows Self Service Password recovery option. For those of you who do not know when your laptop is locked you can click this option and it spins up a temporary profile on the Windows machine to process the password reset option. Unfortunately if the client is using 802.1x wireless it will not work. The user gets a message saying that the internet is required. What we have seen is once that temporary profile is spun up the laptop no looses it's IP address.  

 

I do not see anything in the event live logs to even see this client attempting to connect in this state.

If we change the windows supplicant to Machine only then we do not experience this issue it works as the client support team expects.

 

In addition if the machine is in a locked state and user 2 comes to log into the device we see the same behavior.

 

Has any one else encountered this and is there a way around this with out lowering our security posture to machine only authentication?

 

 

 

 

 

 

 

0 Helpful
2 Replies 2

thomas
Cisco Employee
Cisco Employee

‎02-27-2020 06:24 AM

Thank you for sharing this - I had not heard of the Windows 10 Self Service Password recovery option.

Is there no Windows Group Policy that you can push to your machines to disable this option?

Windows' native supplicant is also known for not doing 802.1X when a user does an RDP login.

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎02-27-2020 01:21 PM

Hi,

 

     The SSPR is accessed through that temporary profile which seems to not support 802.1x (which kinda makes sense, as how can you try to authenticate a user which is trying to reset its password so it can't actually be authenticated). 

     You should be able to change the Advanced Settings for 802.1x, via Group Policy, so that 802.1x authentication is  'Performed immediately after User Logon" and not " Perform immediately before User Logon" and this should fix the problem.

 

Regards,

Cristian Matei.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents