cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5835
Views
4
Helpful
9
Replies

Issue with Windows 10 and PEAP

Igor.Dyakonov
Level 1
Level 1

    Hello, community

 

We're experiencing a following issue with our  ISE 2.7 (patch 2). 

 

PEAP  doesn't work if we don't save credentials manually.  

We can't save credential for all our employees for an obvious reason of security. (We don't  know each particular password and we can't run GPO either). 

 

PEAP runs smoothly if we save credentials.   Anyconnect NAM (EAP-FAST) also works great but we still need to be able to run native 802.1x on Windows 10 PCs.

 

We suspect it can be Windows 10 supplicant ( the version is 1703 build 15063.2108) . Should we apply some MSFT KB patches? If so which  are those?

 

If anyone had this issue please comment.

Thank You!

Regards.

 

Save Credentials.PNG

9 Replies 9

Colby LeMaire
VIP Alumni
VIP Alumni

First thing is that your version of Windows 10 that you are running is End of Service.  There have been quite a few versions since then.  Check out the following page for more information on the Windows 10 versions and associated KB articles:

https://docs.microsoft.com/en-us/windows/release-information/

Are your computers joined to a domain?  When you say PEAP doesn't work, can you provide more details?  Is it a case of the computer having no access when the user is not logged in?

   Hi, Colby

 

I'm aware that our PCs has EoS version of Windows 10. I can't do much there as it's not my decision.

Thank You for the link. Not sure whether we can still apply some dot1x related patches to our current Win10 or just upgrade to newer version of Win10.  The last option "upgrade Win10" will be just too long to wait in our implementation of ISE in this moment.

 

Are your computers joined to a domain?

Yes, they are.

 

When you say PEAP doesn't work, can you provide more details?

PEAP (MSHCAP) doesn't work if we don't save credentials manually (screenshot in my previous post) however PEAP runs smoothly if we save credentials.  We have tried to "Lock the user" and "Restart" Windows 10 but nothing helps.

So it's not that ISE has some issue it's rather supplicant PCs don't send user credentials. Running from switch "show auth sess int x/x"  and doing some debug we can only see that dot1x is rather "running" or "stopped". 

 

Here is a complete configuration of dot1x on a PC.  Nothing special.

PEAP config.png

 

 

>>Is it a case of the computer having no access when the user is not logged in?

User always has an access because right now these ports run in open mode.

 

 

Ok, I see the issue now.  It is not a problem with the supplicant at all.  You are configured to do "User authentication" only.  With Windows, the native supplicant does not have access to the user credentials until the user logs in.  Or as in your case, you save the credentials that the supplicant should use before the user logs in.  So that makes sense that you see 802.1x running or stopped because the supplicant won't respond unless it has credentials to send.

I highly recommend changing your supplicant configuration to "Computer authentication" so that you know the computers connecting are machines within your domain.  And the computers would be able to authenticate to the network before the user logs in.

>>With Windows, the native supplicant does not have access to the user credentials until the user logs in. 

 

The native supplicant should have access to the user credential because of enabled checkbox "Automatically use my Windows logon name and password". Even if it hasn't a user credentials Windows should  presenet a Security pop-up window like this https://filestore.community.support.microsoft.com/api/images/112e975c-62f9-4bb0-97e6-2b8cbc7dcaa5

 

>>I highly recommend changing your supplicant configuration to "Computer authentication" so that you know the computers connecting are machines within your domain.  And the computers would be able to authenticate to the network before the user logs in.

I've already ran different options as  "Computer auth" or "User or Computer auth" . Computer authenticates but user doesn't.  We still need to authenticate user.

 

Hello Colby:

 

 This was very helpful information. I was experiencing similar issues however now I am my users are have to accept multiple user certificates and in the event they log into a new machine, they again have to accept the cert. If I set the supplicant to Computer Authentcation only, does that resolve that issue as they would only accept the cert presented to them by ISE during initial access.

Is the screenshot above that shows the 'Automatically use my Windows logon name...' option ticked from a working or non-working PC? If this is from a working PC, you might be running into an issue with Credential Guard being enabled for the non-working PCs.

See this post for more info on Credential Guard.

>>Is the screenshot above that shows the 'Automatically use my Windows logon name...' option ticked from a working or non-working PC?

Non-working PC. I have tried to disable/enable this option but it dind't help.Even if it hasn't a user credentials Windows should  presenet a Security pop-up window like this https://filestore.community.support.microsoft.com/api/images/112e975c-62f9-4bb0-97e6-2b8cbc7dcaa5

But it doesn't show this popup

 

>>you might be running into an issue with Credential Guard being enabled for the non-working PCs.

Yes,  it's clearly something to do with Windows credentials.  I've disabled every option related to Credential Guard. Still it didn't help.

 

 

 

Hi , 

Did you got any solution for this , I face same issue but not getting any solution for this . 

 

Please let me know if you got solution for this.

 

isravr
Level 1
Level 1

>>With Windows, the native supplicant does not have access to the user credentials until the user logs in. 

 My question is:

NAM (supplicant Cisco) does have it?

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: