Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
4
Helpful
8
Replies

Cisco ISE integrates with Windows Hello for Business

oumodom
Level 1
Level 1

‎07-17-2024 07:19 PM - edited ‎07-17-2024 09:09 PM

Hello Cisco ISE lover,

I have plan for Cisco ISE (low impact mode) integrates with Windows Hello for business , in the term of authentication (User first Log-on with PIN or Biometric finger scan/Facial).

By feasibility study, we use EAP-FAST [TLS (Machine)+MSCHAPv2(User Authenticate)] 
Has anyone experienced this use case, or any suggestion?

0 Helpful
8 Replies 8

ccieexpert
Spotlight
Spotlight

‎07-17-2024 11:07 PM

i would suggest using TEAP

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

you can use cert for machine and user/password for user or cert for both..

Greg Gibbs
Cisco Employee
Cisco Employee

‎07-18-2024 03:28 PM

You cannot use MSCHAPv2 in conjunction with Windows Hello. The supplicant has no way to take the Hello input (PIN, for example) and translate that to a username/password to present in the 802.1x response.

If you want to use Windows Hello, you must use a certificate-based authentication - EAP-TLS, TEAP(EAP-TLS)

oumodom
Level 1
Level 1
In response to Greg Gibbs

‎07-18-2024 07:38 PM

Thank for your solution, and great idea which relies on certificate.  
what about challenging with External Identity like AD to authenticate trusted machine/user identity?
 

0 Helpful

ccieexpert
Spotlight
Spotlight
In response to oumodom

‎07-18-2024 08:46 PM

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html

the certificate identity obtained from the cert, which is generally UPN user@domain.com can be be looked up in AD/LDAP to verify that is a valid user,and user/group attributes can be retrieved for authorization to provide differentiated authorization policy per group (or user).

0 Helpful

oumodom
Level 1
Level 1
In response to ccieexpert

‎07-18-2024 09:40 PM

As my experience, UPN define the most is machine under domain joined after selected source sequence, not for user@domain.com in AD. 

Correct me if i am wrong. 

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to oumodom

‎07-19-2024 03:32 PM

It depends on how the supplicant is configured. See this explanation and example...
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635#toc-hId-296059835

I have Win 10 and 11 instances in my lab that use TEAP(EAP-TLS) or EAP-TLS with User or Computer authentication and they work perfectly with Windows Hello PIN login.

ccieexpert
Spotlight
Spotlight
In response to oumodom

‎07-19-2024 07:32 PM

UPN is used a lot for user as well and for Azure / Entra, that is generally a requirement.

0 Helpful

ccieexpert
Spotlight
Spotlight
In response to Greg Gibbs

‎07-18-2024 08:47 PM

i havent tested with windows hello, but i think if you disabled use windows login credentials for dot1x , it could prompt the user for creds ? ofcourse, certs are the best

Customers Also Viewed These Support Documents