07-03-2019 10:37 AM
Does anyone had experience of Microsoft Local Administrator Password Solution (LAPS) with Cisco ISE. One of my banking customer is managing user local admin account using Laps for the helpdesk operation. Customer system team are using local admin account where passwords are randomly generated.
Is there any integrations or alternate ?
Solved! Go to Solution.
07-03-2019 12:32 PM
I am unable to think of any ISE feature needing integrations with LAPS. Please let us know if your customer using anything specifics and encountering interaction issues between ISE and LAPS.
07-03-2019 12:32 PM
I am unable to think of any ISE feature needing integrations with LAPS. Please let us know if your customer using anything specifics and encountering interaction issues between ISE and LAPS.
03-03-2020 09:42 AM
Hello,
Yes, there is a reason to integrate LAPS with ISE. A LAPS user (local admin) needs a way to authenticate through 802.1x to pass through and gain wireless connection to 802.1x based wireless connections. Today, when a local user logs in to a domain computer, and with the dual auth (computer and user) profile enabled in ISE, that computer loses connection to the 802.1x based wireless network, because there is not a way to introduce that LAPS user into ISE with the randomized password.
Thanks,
03-03-2020 11:32 AM
Hi,
On the Windows side, the random generated password is stored in the AD schema as an attribute to the computer object, so the ISE implementation for LAPS could be challenging.
What you can do is the following:
- Use a GPO so that when LAPS is being used, 802.1x is using computer only authentication, and have an appropriate ISE authorization profile with needed but restricted network access (regular users should never match this, as the GPO forces computer and user authentication in the 802.1x native supplicant profile and they can't modify it)
- Use a GPO so that when LAPS is being used, 802.1x is using both computer and user based authentication, use EAP-TLS and have a certificate in the LAPS user's profile that has something different than regular user certificates, and use it as condition in your ISE authorization profile
Regards,
Cristian Matei.
03-03-2020 06:01 PM
Thanks for the quick response.
Do you have some example links that explain the GPO part of both cases. I did a bit of search and the results were general and didn't pertain to this specific case.
Thanks again!
03-04-2020 01:33 AM
Hi,
Here's astep-by-step example for the GPO part.
https://www.raydbg.com/2017/How-to-Configure-Wired-Authentication-Settings-via-GPO/
Regards,
Cristian Matei.
03-10-2020 08:27 AM
Hi,
I have the same requirement in a NAM environment. Is it possible to do this ?.
Thanks and Regards
Shabeeb
03-10-2020 09:36 AM
Hi,
If you're speaking about using the NAM module of AnyConnect, yes you can achieve the options i highlighted above, by using NAM profiles.
Regards,
Cristian Matei.
03-12-2020 02:24 AM
Hi,
We already have NAM profile for wired and wireless setup for our users. The profiles are using EAP-FAST so that we can do EAP-Chaining for our users. The LAPS is used by the user support personnel to access the machines remotely in case of any issues reported and they need to have local admin privileges on the machine. My question is that without altering the current setup of EAP-Chaining is there any way that we can have the LAPS setup accommodated only for the local admin account?.
If I configure two wired profiles in Anyconnect NAM, which profile it will use when it detects a network connection?. Is there any conditions I can write in the NAM profile (using profile editor) itself so that it can choose specific profile based on the condition?.
Thanks
Shabeeb
Thanks and Regards
03-12-2020 03:45 AM
Hi,
While using EAP-FAST and EAP-Chaining, if your inner method is EAP-TLS, you can achieve the same thing, have your LAPS accounts be provisioned with a certificate which has a unique filed that you can match in your ISE policies. (long lifetime cause you're gonna rarely use this account on all devices, and you don't want it to expire, so when the LAPS connects it is not allowed network access). This one different field in the certificate is required only if you want a different authorization to be pushed from ISE for the LAPS users. We have a problem with the LAPS password not being able to be validated by ISE, thus we don't use EAP-MSCHAPv2 as the inner method, but use EAP-TLS as the inner method.
Regards,
Cristian Matei.
04-18-2024 07:07 AM
any easy solution for this in 2024?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide