Solved: Dot1X User Authentication with MSCHAPv2

AminK · ‎05-28-2025

Hello Community.

We want to start using Dot1X authentication in our company. All computers are joined to Domain and Active directory is integrated with ISE. Everything is OK on this side.

So The initial plan was to use PEAP or TEAP with MSCHAPv2 to achieve following goals:

1) When user logs in in windows login screen, it gets authenticated to Dot1X automatically without needing to reenter credentials.

2) We Identify user in ISE with Active Directory, so we can give each a dACL and SGT for TrustSec. No matter which computer they seat in.

Now we have a problem. There is a feature in windows native supplicant that tells windows to automatically use windows logon name and password (and domain) to authenticate users in Dot1X. This feature is grayed out in some of our computers (Check attached picture), So they have to reenter same credentials after login. I did a research about windows and I found this link about Windows Credential Guard.

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues#single-sign-on-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2-or-windows-server-2025

According to above link, Windows doesn't like MSCHAPv2 anymore and trying to break this Single Sign on feature. So you have two option. One is to disable this feature which is obviously not recommended or two is to use certificates.

Now my question is how am i supposed to use ISE user features and TrustSec without authenticating based on my users credentials? what is the new method when old one is going to be deprecated?

I know I can get each user a certificate from CA Server but that would be a lot overhead and needs a new infrastructure. Because in that case we should manage a large number of certificates and not to mention that some computers are used by different people.

Any help would be much appreciated. Thank you.

Rob Ingram · ‎05-28-2025

@AminK You are correct in what you say. If you wish to use user based segementation using TrustSec, ISE needs to learn the user identity. Your options are disable credential guard and use PEAP/MSCHAPv2 (not recommended) or preferrably distribute user certificates, so you can authenticate and authorise the users and assign TrustSec SGT based on user group membership. You would need to distribute user certificates to the devices via AD GPO.

View solution in original post

Arne Bier · ‎05-28-2025

@AminK - there is no "easy button" to deploy this - and the hard part is always getting the endpoints to be setup correctly. Setting up DOT1X on a RADIUS server is trivial by comparison. So - if it's any consolation - getting 802.1X running securely on endpoints is HARD WORK. But. As Rob mentioned, for AD joined devices you can auto-enrol devices to get their Computer Certificates via Group Policy. Someone who knows how to set this up will have no issues doing that. Push the GP update for Computer Cert and Wired Service and Ethernet Supplicant for EAP-TLS (Computer Authentication).

If you don't have an internal PKI already, then setting up two Windows CA servers as issuing CAs is not that tricky. The Root CA could be a VM with openssl/xca that you spin up once to create the certs for the Issuing CAs only and then shut down again. The Issuing CAs do all the client cert issuance (and handle the CRL/OCSP).

I would not bother with user authentication because that involves getting another cert for every user that might potentially use a multi-user capable device. And also, do you need to treat every user login differently? e.g. do you need to switch the VLAN dynamically or download another ACL per user? I have seen one use case like that but it's very rare. Machine/Computer auth happens at boot time and the machine stays authenticated and authorized on the same VLAN as long as the machine is running. When a user logs in, it won't trigger a network auth (ISE) event.

If you don't have on-prem AD then an MDM seems to be the way to go to push certs and Service/Supplicant changes.

View solution in original post

Rob Ingram · ‎05-28-2025

@AminK You are correct in what you say. If you wish to use user based segementation using TrustSec, ISE needs to learn the user identity. Your options are disable credential guard and use PEAP/MSCHAPv2 (not recommended) or preferrably distribute user certificates, so you can authenticate and authorise the users and assign TrustSec SGT based on user group membership. You would need to distribute user certificates to the devices via AD GPO.

Arne Bier · ‎05-28-2025

@AminK - there is no "easy button" to deploy this - and the hard part is always getting the endpoints to be setup correctly. Setting up DOT1X on a RADIUS server is trivial by comparison. So - if it's any consolation - getting 802.1X running securely on endpoints is HARD WORK. But. As Rob mentioned, for AD joined devices you can auto-enrol devices to get their Computer Certificates via Group Policy. Someone who knows how to set this up will have no issues doing that. Push the GP update for Computer Cert and Wired Service and Ethernet Supplicant for EAP-TLS (Computer Authentication).

If you don't have an internal PKI already, then setting up two Windows CA servers as issuing CAs is not that tricky. The Root CA could be a VM with openssl/xca that you spin up once to create the certs for the Issuing CAs only and then shut down again. The Issuing CAs do all the client cert issuance (and handle the CRL/OCSP).

I would not bother with user authentication because that involves getting another cert for every user that might potentially use a multi-user capable device. And also, do you need to treat every user login differently? e.g. do you need to switch the VLAN dynamically or download another ACL per user? I have seen one use case like that but it's very rare. Machine/Computer auth happens at boot time and the machine stays authenticated and authorized on the same VLAN as long as the machine is running. When a user logs in, it won't trigger a network auth (ISE) event.

If you don't have on-prem AD then an MDM seems to be the way to go to push certs and Service/Supplicant changes.

ahollifield · ‎05-29-2025

As @Rob Ingram and @Arne Bier have said, use EAP-TLS or TEAP with certificates. Friends don't let friends use PEAP/MS-CHAPv2 in 2025.