04-02-2019 09:45 AM
Hi,
Credential guard enforcement leads to user certificate use. Problem on a shared desktop when machine + user certs authentication is enforced : as soon as the user log in for the first time, the MS supplicant is missing the user's cert and the machine is disconnected from the network.
- Would Anyconnect NAM help by providing a fallback auth with the machine cert again on user auth failure, so allowing to give access to AD, GPO etc ... ?
-Would NAM allow to try another auth mechanism whenever the PEAP-EAP-TLS fails ? For example, trying with PEAP-EAP-GTC, so the user enters a token, gets access to the network, and is provisioned with his user cert on that machine. Then TLS is used next time for convenience ?
Do you see any other scenario to help for the first connection on a newly deployed or shared desktop ?
Thanks,
jean-francois
Solved! Go to Solution.
04-03-2019 11:58 AM
Hi Jean-francois,
NAM profiles only allow configuring a single EAP-method per profile, so you could not have a "fall back" to username/password EAP method such as PEAP-MSCHAPv2 in a single network profile. This could be configured in another profile for the same network, either wired or wireless. So in the NAM config you would have something like "Wired-cert" and "Wired-Password". I assume you are using user certificates that are NOT on a smartcard since you mention provisioning. This would require you to be configured for Machine auth, and user auth post logon. In this case the Windows logon should occur over the machine authenticated session and once the Windows desktop loads the user auth would take place. At this point the user could potentially select the username/password based network profile. The only issue I see with this scenario is that the user would always have the option of using the cert or U/P auth.
Thanks,
Steve S.
04-03-2019 11:58 AM
Hi Jean-francois,
NAM profiles only allow configuring a single EAP-method per profile, so you could not have a "fall back" to username/password EAP method such as PEAP-MSCHAPv2 in a single network profile. This could be configured in another profile for the same network, either wired or wireless. So in the NAM config you would have something like "Wired-cert" and "Wired-Password". I assume you are using user certificates that are NOT on a smartcard since you mention provisioning. This would require you to be configured for Machine auth, and user auth post logon. In this case the Windows logon should occur over the machine authenticated session and once the Windows desktop loads the user auth would take place. At this point the user could potentially select the username/password based network profile. The only issue I see with this scenario is that the user would always have the option of using the cert or U/P auth.
Thanks,
Steve S.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide