- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2020 06:17 AM
Hi,
I know it may looks weird but as we use Cisco devices and ISE is one of the bests for NAC, I'm asking the question here hoping to find some help.
As we know, NAP service or agent is not included on windows 10. Prior to it (on windows 7) we used NAP and NPS to control and prevent non joined computers to get access to network. With windows 10 this is not an option and I don't like to get involved with complexity and costs of Cisco ISE and solutions like that. Is there anyway for this to be done using methods like certificates or so?
P.S.
MAC filtering and security, DHCP or solutions like that are not acceptable cause we cannot wholly prevent people bringing their own devices to work (So they can change their MAC, use static IP's , etc.)
We use Windows 2016 AD domain, Windows 10 clients and Cisco devices if it helps.
Thanks !
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2020 10:13 AM
As I said before, 802.1x authentication is separate from any posture/health checking. In Windows, the native supplicant (Wired AutoConfig or Wireless AutoConfig) can do machine authentication with 802.1x. The wireless supplicant is always enabled by default. For the Wired side, you need to configure "Wired AutoConfig" to start automatically. Once you do that, then you will see another tab show up on your network adapter properties where you can configure "Authentication." If you choose PEAP MS-CHAPv2 as your EAP protocol, then the computer will send its AD computer credentials to authenticate. So as long as the computer is joined to the domain, it will authenticate successfully. Assuming your Radius server is configured properly. So if you are just looking for authentication, then you do not need any third-party agent.
If you want to check health status or posture (i.e. anti-virus installed and up-to-date), then that is where you need an agent such as Anyconnect Posture Agent if using ISE.
That is what I was trying to explain to you from the beginning.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2020 06:58 AM
To authenticate the devices connecting to the network, you need to use 802.1x. With 802.1x, you need a Radius server of some sort. ISE is the Radius server. Microsoft also has NPS that is a Radius server. And I am sure there are a lot of free Radius servers out there.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2020 07:25 AM - edited 07-23-2020 07:28 AM
Thanks but you are wrong. NPS and Windows 7 clients work without any problem (using 802.1X implementation). But on Windows 10, NAP agent is removed so you cannot send computer properties to the RADIUS server in order to make authentication. This is a common widely known problem on Windows 10 so we are forced to use other solutions that use an agent on the systems and connect to the related RADIUS like Cisco ISE.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2020 07:58 AM
I am not wrong! You asked about authenticating the Windows 10 machines to prevent non-corporate devices from connecting to the network. 802.1x is your answer and only requires the Windows Native Supplicant on Windows 10, a network device that supports 802.1x, and a Radius server. Microsoft NPS is a Radius server.
You are wrong! You are confusing Network Access Protection (NAP) with 802.1x authentication. NAP is like Cisco ISE Posture. It sends details about the machine's health to NPS for consideration in access policies. That DOES require the NAP agent. Just like with Cisco ISE, posture requires the Anyconnect Posture agent. But 802.1x is a separate thing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2020 12:30 PM
Let's make it simple. As a Microsoft term, NAP is the service controlling
dot1x authenticating and the agent is removed in Windows 10. So, Computer
authentication is not possible in windows 10 without any agent and just by
using local and native supplicant. Cisco ISE and AnyConnect (on clients)
can do the job. Now, to make this discussion go ahead, please just answer
yes or no to this question:
Is it possible to control and prevent non joined computers from accessing
network in windows 10 without the need of any extra 3rd party agent?
(RADIUS server is not important and can be NPS or anything else)
My answer is NO, cause the service and agent doing this (name it NAP or NAC
or anything) is removed from windows 10.
Is your answer a YES to my specific question?
Many thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2020 09:53 AM
Still stuck in the machine authentication problem and maybe these posts confirm that we need a 3rd Party agent on windows 10 because of lacking NAP.
Enabling NAP will give you the option to combine user and machine groups in the same policy with an AND statement.
I have the same issue that windows 10 unable to do machine authentication
Cisco ACS performs this duty by checking that the user authentication is precluded by a computer authentication, and if there is no computer authentication the user auth is rejected. The feature is called Machine Access Restrictions, though i'm not sure exactly how it works I assume it checks the client MAC address against the host and user auth request.
For other people that will read this, I finally managed to resolve my issue using:
Clearpass Policy Manager from Aruba Networks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2020 10:13 AM
As I said before, 802.1x authentication is separate from any posture/health checking. In Windows, the native supplicant (Wired AutoConfig or Wireless AutoConfig) can do machine authentication with 802.1x. The wireless supplicant is always enabled by default. For the Wired side, you need to configure "Wired AutoConfig" to start automatically. Once you do that, then you will see another tab show up on your network adapter properties where you can configure "Authentication." If you choose PEAP MS-CHAPv2 as your EAP protocol, then the computer will send its AD computer credentials to authenticate. So as long as the computer is joined to the domain, it will authenticate successfully. Assuming your Radius server is configured properly. So if you are just looking for authentication, then you do not need any third-party agent.
If you want to check health status or posture (i.e. anti-virus installed and up-to-date), then that is where you need an agent such as Anyconnect Posture Agent if using ISE.
That is what I was trying to explain to you from the beginning.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2020 10:57 AM
Thanks for your help and points. I've just set up a lab with a Windows 2k19 hosting NPAS role, Win 10, and a Catalyst 2960 Cisco switch. I'm moving forward on this subject and will update the topic.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2020 08:07 AM
Dear Colby
Let me say that
It WORKED !!
Although there are still so many problems and imperfections but starting the service (Which I wonder why is not in automatic state by default) I was able to prevent non corporate machines from gaining access to the network.
There are still issues like this which may be related to Cisco switch or NPS configuration:
- Computer and then User authentication not working, (Both in the order mentioned)
- Computer information is sent as null. The user id is sent as the computer name
- Can't figure out a way to allow the non corporate computers to gain access and then decide about them based on different criteria (even when no preventive policy is set against a port. For instance, when I just set the rule to "Ethernet on the switch port side device or a simple day time restriction which is always true) to let a non joined PC to be able to connect but it does not work
I'll work on this and guess that it should move forward on Microsoft forums.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2020 09:56 AM
