Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
624
Views
5
Helpful
1
Replies

User enrolment on windows 10 with credential Guard

Go to solution
jpujol
Cisco Employee
Cisco Employee

‎04-02-2019 09:45 AM

Hi,

 

Credential guard enforcement leads to user certificate use. Problem on a shared desktop when machine + user certs authentication is enforced : as soon as the user log in for the first time, the MS supplicant is missing the user's cert and the machine is disconnected from the network.

 

- Would Anyconnect NAM help by providing a fallback auth with the machine cert again on user auth failure, so allowing to give access to AD, GPO etc ... ?

 

-Would NAM allow to try another auth mechanism whenever the PEAP-EAP-TLS fails ? For example, trying with PEAP-EAP-GTC, so the user enters a token, gets access to the network, and is provisioned with his user cert on that machine. Then TLS is used next time for convenience ?

 

Do you see any other scenario to help for the first connection on a newly deployed or shared desktop ?

 

Thanks, 

 

jean-francois

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
stsargen
Cisco Employee
Cisco Employee

‎04-03-2019 11:58 AM

Hi Jean-francois,

 

NAM profiles only allow configuring a single EAP-method per profile, so you could not have a "fall back" to username/password EAP method such as PEAP-MSCHAPv2 in a single network profile.  This could be configured in another profile for the same network, either wired or wireless.  So in the NAM config you would have something like "Wired-cert" and "Wired-Password".  I assume you are using user certificates that are NOT on a smartcard since you mention provisioning.  This would require you to be configured for Machine auth, and user auth post logon.  In this case the Windows logon should occur over the machine authenticated session and once the Windows desktop loads the user auth would take place.  At this point the user could potentially select the username/password based network profile. The only issue I see with this scenario is that the user would always have the option of using the cert or U/P auth.

 

Thanks,

Steve S.

View solution in original post

1 Reply 1

Go to solution
stsargen
Cisco Employee
Cisco Employee

‎04-03-2019 11:58 AM

Hi Jean-francois,

 

NAM profiles only allow configuring a single EAP-method per profile, so you could not have a "fall back" to username/password EAP method such as PEAP-MSCHAPv2 in a single network profile.  This could be configured in another profile for the same network, either wired or wireless.  So in the NAM config you would have something like "Wired-cert" and "Wired-Password".  I assume you are using user certificates that are NOT on a smartcard since you mention provisioning.  This would require you to be configured for Machine auth, and user auth post logon.  In this case the Windows logon should occur over the machine authenticated session and once the Windows desktop loads the user auth would take place.  At this point the user could potentially select the username/password based network profile. The only issue I see with this scenario is that the user would always have the option of using the cert or U/P auth.

 

Thanks,

Steve S.

Customers Also Viewed These Support Documents