cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2627
Views
5
Helpful
4
Replies

Unable to RDP to Windows Desktop after dot1x enabled.

Anthony O'Reilly
Participant
Participant

Hi,

 

I have Cisco ISE 2.7 Patch 2 and I've just enabled dot1x on Windows desktops.

 

I have a policy set for Windows desktops to check for username and machine name in Active Directory.

 

I can see on Cisco ISE that the machine has authenticated successfully. I have a dACL and this ACL for now is allowing all traffic while I am troubleshooting this issue. I do not have AnyConnect on the desktops.

 

Since enabling dot1x on the desktops, I cannot RDP from anywhere on the network to the Windows machine.  

 

Any ideas on the next steps to troubleshoot this?

1 Accepted Solution

Accepted Solutions

Anthony O'Reilly
Participant
Participant

Hi,

 

Thanks for all the responses.

 

It looks like there were a few issues:

 

  • The windows machines were recently patched
  • Palo Alto FWs were blocking me from RDP from one subnet to another (as I was on site)
  • I got access to the physical device and logged in, once I did this, the users were able to RDP, FWs not blocking it from the VPN to the subnet where the desktops are.

I am just concerned now that I will need to be at the machine and login to them all as I put dot1x onto them.

 

Do I need licenses for AnyConnect NAM?

View solution in original post

4 Replies 4

Marcelo Morais
VIP Advisor VIP Advisor
VIP Advisor

Hi @Anthony O'Reilly

 try to Wireshark your Desktop and check RDP packet ... to double check if it is something related to your Desktop or not.

 

Hope this helps !!

What are you using authen method?

 

For my experience:

I had deployed 802.1x with PEAP-MSCHAPv2 and I found the RDP problem, root cause is Windows doesn't support dot1x Machine or User authent with RDP service.

If user make RDP connection to machine and logon to windows the EAP message (handshake) doesn't send to Network device, in this case authentication session still be machine and remote user were in limited connection state.

 

I overcome this problem by install software that can proceeds as the 802.1x supplicant such as Anyconnect NAM module, used NAM module insteat of Windows native supplicant (wired AutoConfig service).

 

For my solution:

Created NAM profile with anyconnect profile editor then install NAM module with NAM profile that created and disable network authen on network connection.

 

For Windows 10 you need to edit registry as below figure.
Before begin this task please consider the security affect on you machine.

edit registry.pngNAM module2.jpg

Anthony O'Reilly
Participant
Participant

Hi,

 

Thanks for all the responses.

 

It looks like there were a few issues:

 

  • The windows machines were recently patched
  • Palo Alto FWs were blocking me from RDP from one subnet to another (as I was on site)
  • I got access to the physical device and logged in, once I did this, the users were able to RDP, FWs not blocking it from the VPN to the subnet where the desktops are.

I am just concerned now that I will need to be at the machine and login to them all as I put dot1x onto them.

 

Do I need licenses for AnyConnect NAM?

Microsoft does not consider an RDP login to be a real login worthy of 802.1X authentication so if that is something you are expecting you will be disappointed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers