05-29-2024 03:58 AM
Hello,
I'm searching a method of NAC implementation in a scenario using only AD (client doesn't have CA for generating certs yet) for Wired.
1st do -> Machine (Windows10) autentication with AD (Domain Computer).
2nd do -> User Auth + Authorize with dynamic Vlan x.
I'm not pretty sure how to configure this on ISE. There will 2 rules under Authorization? How can I tie this order together?
Also I want the user to enter the credential only one time, when he log on the station, i guess enable single sing on should be checked.
Solved! Go to Solution.
05-29-2024 04:36 PM
Use TEAP as the authentication protocol to provide both machine + user credentials at the same time.
See ISE Authentication and Authorization Policy Reference > TEAP-Chaining with Tunneled EAP (TEAP) for a policy example.
05-29-2024 04:58 AM
Why doesn't the client deploy a PKI/CA? What is the use-case for changing VLANs? PEAP is broken from an encryption standpoint and should no longer be used. Credential Guard in newer versions of Windows disables PEAP.
05-29-2024 05:15 AM
Hello,
The client does not have the technical capability to implement right now a PKI/CA. The use case for changing vlans is for network segmentation for the departments like Sales, Marketing, IT, etc. Each OU group from AD with a different vlans so that we can deploy firewall rules on top.
05-29-2024 05:31 AM
05-29-2024 04:36 PM
Use TEAP as the authentication protocol to provide both machine + user credentials at the same time.
See ISE Authentication and Authorization Policy Reference > TEAP-Chaining with Tunneled EAP (TEAP) for a policy example.
05-29-2024 05:30 PM
Just be aware that, while using TEAP with an inner method of MSCHAPv2 is possible, you will need to ensure that Credential Guard is disabled in order for MSCHAPv2 to work as @ahollifield pointed out earlier.
https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues
Credential Guard was implemented to mitigate specific vulnerabilities (such as pass-the-hash), so a better option would be to move to certificate-based authentication methods like EAP-TLS (as recommended by MS). Microsoft is actively moving to disable support for weak protocols, so I would not be surprised if they remove the ability to disable Credential Guard in the future.
05-29-2024 11:13 PM
Ok, thank you very much guys for all the usefull information. I will try it and speak with the customer to migrate to PKI/CA asap.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide