cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

413
Views
5
Helpful
1
Replies
jpujol
Cisco Employee

User enrolment on windows 10 with credential Guard

Hi,

 

Credential guard enforcement leads to user certificate use. Problem on a shared desktop when machine + user certs authentication is enforced : as soon as the user log in for the first time, the MS supplicant is missing the user's cert and the machine is disconnected from the network.

 

- Would Anyconnect NAM help by providing a fallback auth with the machine cert again on user auth failure, so allowing to give access to AD, GPO etc ... ?

 

-Would NAM allow to try another auth mechanism whenever the PEAP-EAP-TLS fails ? For example, trying with PEAP-EAP-GTC, so the user enters a token, gets access to the network, and is provisioned with his user cert on that machine. Then TLS is used next time for convenience ?

 

Do you see any other scenario to help for the first connection on a newly deployed or shared desktop ?

 

Thanks, 

 

jean-francois

1 ACCEPTED SOLUTION

Accepted Solutions
stsargen
Cisco Employee

Hi Jean-francois,

 

NAM profiles only allow configuring a single EAP-method per profile, so you could not have a "fall back" to username/password EAP method such as PEAP-MSCHAPv2 in a single network profile.  This could be configured in another profile for the same network, either wired or wireless.  So in the NAM config you would have something like "Wired-cert" and "Wired-Password".  I assume you are using user certificates that are NOT on a smartcard since you mention provisioning.  This would require you to be configured for Machine auth, and user auth post logon.  In this case the Windows logon should occur over the machine authenticated session and once the Windows desktop loads the user auth would take place.  At this point the user could potentially select the username/password based network profile. The only issue I see with this scenario is that the user would always have the option of using the cert or U/P auth.

 

Thanks,

Steve S.

View solution in original post

1 REPLY 1
stsargen
Cisco Employee

Hi Jean-francois,

 

NAM profiles only allow configuring a single EAP-method per profile, so you could not have a "fall back" to username/password EAP method such as PEAP-MSCHAPv2 in a single network profile.  This could be configured in another profile for the same network, either wired or wireless.  So in the NAM config you would have something like "Wired-cert" and "Wired-Password".  I assume you are using user certificates that are NOT on a smartcard since you mention provisioning.  This would require you to be configured for Machine auth, and user auth post logon.  In this case the Windows logon should occur over the machine authenticated session and once the Windows desktop loads the user auth would take place.  At this point the user could potentially select the username/password based network profile. The only issue I see with this scenario is that the user would always have the option of using the cert or U/P auth.

 

Thanks,

Steve S.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube