Solved: Unable to RDP to Windows Desktop after dot1x enabled.

Anthony O'Reilly · ‎04-01-2021

Hi,

I have Cisco ISE 2.7 Patch 2 and I've just enabled dot1x on Windows desktops.

I have a policy set for Windows desktops to check for username and machine name in Active Directory.

I can see on Cisco ISE that the machine has authenticated successfully. I have a dACL and this ACL for now is allowing all traffic while I am troubleshooting this issue. I do not have AnyConnect on the desktops.

Since enabling dot1x on the desktops, I cannot RDP from anywhere on the network to the Windows machine.

Any ideas on the next steps to troubleshoot this?

Anthony O'Reilly · ‎04-02-2021

Hi,

Thanks for all the responses.

It looks like there were a few issues:

The windows machines were recently patched
Palo Alto FWs were blocking me from RDP from one subnet to another (as I was on site)
I got access to the physical device and logged in, once I did this, the users were able to RDP, FWs not blocking it from the VPN to the subnet where the desktops are.

I am just concerned now that I will need to be at the machine and login to them all as I put dot1x onto them.

Do I need licenses for AnyConnect NAM?

View solution in original post

Marcelo Morais · ‎04-01-2021

Hi @Anthony O'Reilly

try to Wireshark your Desktop and check RDP packet ... to double check if it is something related to your Desktop or not.

Hope this helps !!

Chansit Watthanaphothidit · ‎04-01-2021

What are you using authen method?

For my experience:

I had deployed 802.1x with PEAP-MSCHAPv2 and I found the RDP problem, root cause is Windows doesn't support dot1x Machine or User authent with RDP service.

If user make RDP connection to machine and logon to windows the EAP message (handshake) doesn't send to Network device, in this case authentication session still be machine and remote user were in limited connection state.

I overcome this problem by install software that can proceeds as the 802.1x supplicant such as Anyconnect NAM module, used NAM module insteat of Windows native supplicant (wired AutoConfig service).

For my solution:

Created NAM profile with anyconnect profile editor then install NAM module with NAM profile that created and disable network authen on network connection.

For Windows 10 you need to edit registry as below figure.
Before begin this task please consider the security affect on you machine.

Anthony O'Reilly · ‎04-02-2021

Hi,

Thanks for all the responses.

It looks like there were a few issues:

The windows machines were recently patched
Palo Alto FWs were blocking me from RDP from one subnet to another (as I was on site)
I got access to the physical device and logged in, once I did this, the users were able to RDP, FWs not blocking it from the VPN to the subnet where the desktops are.

I am just concerned now that I will need to be at the machine and login to them all as I put dot1x onto them.

Do I need licenses for AnyConnect NAM?

thomas · ‎05-13-2021

Microsoft does not consider an RDP login to be a real login worthy of 802.1X authentication so if that is something you are expecting you will be disappointed.

PSBInfra62128 · ‎11-18-2024

Hi Thomas, how we can fix the issue...we are using NAC and we are facing the issue with RDP login authentication. please share solution.

nachoGrande · ‎03-04-2023

use eap chaining and certificate-based authentication from machine certs.issued by your internal PKI.