07-23-2020 06:17 AM
Hi,
I know it may looks weird but as we use Cisco devices and ISE is one of the bests for NAC, I'm asking the question here hoping to find some help.
As we know, NAP service or agent is not included on windows 10. Prior to it (on windows 7) we used NAP and NPS to control and prevent non joined computers to get access to network. With windows 10 this is not an option and I don't like to get involved with complexity and costs of Cisco ISE and solutions like that. Is there anyway for this to be done using methods like certificates or so?
P.S.
MAC filtering and security, DHCP or solutions like that are not acceptable cause we cannot wholly prevent people bringing their own devices to work (So they can change their MAC, use static IP's , etc.)
We use Windows 2016 AD domain, Windows 10 clients and Cisco devices if it helps.
Thanks !
Solved! Go to Solution.
07-29-2020 10:13 AM
As I said before, 802.1x authentication is separate from any posture/health checking. In Windows, the native supplicant (Wired AutoConfig or Wireless AutoConfig) can do machine authentication with 802.1x. The wireless supplicant is always enabled by default. For the Wired side, you need to configure "Wired AutoConfig" to start automatically. Once you do that, then you will see another tab show up on your network adapter properties where you can configure "Authentication." If you choose PEAP MS-CHAPv2 as your EAP protocol, then the computer will send its AD computer credentials to authenticate. So as long as the computer is joined to the domain, it will authenticate successfully. Assuming your Radius server is configured properly. So if you are just looking for authentication, then you do not need any third-party agent.
If you want to check health status or posture (i.e. anti-virus installed and up-to-date), then that is where you need an agent such as Anyconnect Posture Agent if using ISE.
That is what I was trying to explain to you from the beginning.
07-23-2020 06:58 AM
To authenticate the devices connecting to the network, you need to use 802.1x. With 802.1x, you need a Radius server of some sort. ISE is the Radius server. Microsoft also has NPS that is a Radius server. And I am sure there are a lot of free Radius servers out there.
07-23-2020 07:25 AM - edited 07-23-2020 07:28 AM
Thanks but you are wrong. NPS and Windows 7 clients work without any problem (using 802.1X implementation). But on Windows 10, NAP agent is removed so you cannot send computer properties to the RADIUS server in order to make authentication. This is a common widely known problem on Windows 10 so we are forced to use other solutions that use an agent on the systems and connect to the related RADIUS like Cisco ISE.
07-23-2020 07:58 AM
I am not wrong! You asked about authenticating the Windows 10 machines to prevent non-corporate devices from connecting to the network. 802.1x is your answer and only requires the Windows Native Supplicant on Windows 10, a network device that supports 802.1x, and a Radius server. Microsoft NPS is a Radius server.
You are wrong! You are confusing Network Access Protection (NAP) with 802.1x authentication. NAP is like Cisco ISE Posture. It sends details about the machine's health to NPS for consideration in access policies. That DOES require the NAP agent. Just like with Cisco ISE, posture requires the Anyconnect Posture agent. But 802.1x is a separate thing.
07-23-2020 12:30 PM
07-29-2020 09:53 AM
Still stuck in the machine authentication problem and maybe these posts confirm that we need a 3rd Party agent on windows 10 because of lacking NAP.
Enabling NAP will give you the option to combine user and machine groups in the same policy with an AND statement.
I have the same issue that windows 10 unable to do machine authentication
Cisco ACS performs this duty by checking that the user authentication is precluded by a computer authentication, and if there is no computer authentication the user auth is rejected. The feature is called Machine Access Restrictions, though i'm not sure exactly how it works I assume it checks the client MAC address against the host and user auth request.
For other people that will read this, I finally managed to resolve my issue using:
Clearpass Policy Manager from Aruba Networks.
07-29-2020 10:13 AM
As I said before, 802.1x authentication is separate from any posture/health checking. In Windows, the native supplicant (Wired AutoConfig or Wireless AutoConfig) can do machine authentication with 802.1x. The wireless supplicant is always enabled by default. For the Wired side, you need to configure "Wired AutoConfig" to start automatically. Once you do that, then you will see another tab show up on your network adapter properties where you can configure "Authentication." If you choose PEAP MS-CHAPv2 as your EAP protocol, then the computer will send its AD computer credentials to authenticate. So as long as the computer is joined to the domain, it will authenticate successfully. Assuming your Radius server is configured properly. So if you are just looking for authentication, then you do not need any third-party agent.
If you want to check health status or posture (i.e. anti-virus installed and up-to-date), then that is where you need an agent such as Anyconnect Posture Agent if using ISE.
That is what I was trying to explain to you from the beginning.
07-29-2020 10:57 AM
07-31-2020 08:07 AM
Dear Colby
Let me say that
It WORKED !!
Although there are still so many problems and imperfections but starting the service (Which I wonder why is not in automatic state by default) I was able to prevent non corporate machines from gaining access to the network.
There are still issues like this which may be related to Cisco switch or NPS configuration:
- Computer and then User authentication not working, (Both in the order mentioned)
- Computer information is sent as null. The user id is sent as the computer name
- Can't figure out a way to allow the non corporate computers to gain access and then decide about them based on different criteria (even when no preventive policy is set against a port. For instance, when I just set the rule to "Ethernet on the switch port side device or a simple day time restriction which is always true) to let a non joined PC to be able to connect but it does not work
I'll work on this and guess that it should move forward on Microsoft forums.
Regards,
07-29-2020 09:56 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide