cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

575
Views
8
Helpful
4
Replies
Contributor

Windows 10 default wireless security.

Greetings,

I'm trying to find if there is any setting in Windows 10 as to how it handles wireless security. You can change the authentication on the wired adapter, but not on the wireless. I found how to manually change it for a connection once it tries to connect, but want to set a default so users don't have to manually change it.

Basically, we are trying to get away from AnyConnect NAM due to too many issues with Windows 10. I can get everything to work using wasMachineAuthenticated calls, but Windows 10 is defaulting to machine credentials only and I need machine or user credentials.

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

Re: Windows 10 default wireless security.

Dustin,

What you are doing is common with wireless. You have multiple use case scenarios that need to connect to a secure SSID. I have done it 50+ times and it is the same discussion with almost every customer I talk to. Here is how I handle each of those use cases you mentioned:

1) Domain Joined Windows- PEAP domain computer

2) Macs- If they aren’t domain joined I ask them why not. Once they are domain joined you can configure them (much easier if they are using JAMF/Casper manage them) to present their AD computer credentials just like the Windows domain joined devices. If they don’t want to join them to the domain then we may look at allowing PEAP user credentials with a MAC address whitelist of allowed Macs. I have also installed certs on Macs as well as another option.

3) Personal Laptops- what is the use case here? Most times I allow PEAP users from personal devices but move them over to the guest network interface on the WLC to create a secure guest scenario. Employees love it because they can bring their own devices and IT likes it because they aren’t getting access to the internal network. If they have to get on the internal network you can do same type of thing, PEAP User with a whitelist or only a specific AD groups can only do this. I can’t remember the last customer I had that would allow a personal laptop on their secure internal network.

4) Mobile Devices- typically MDM enrolled and you can either use the cert pushed by the MDM or have the MDM push a cert to the phones from the internal CA. So corporate mobile devices would do EAP-TLS.

That is how I handle what you are trying to do. In 75+ installs I think I have had to use NAM once (customer already had it before I got involved) and have never had to use EAP chaining or MAR cache.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

View solution in original post

4 REPLIES 4
Highlighted
VIP Advocate

Re: Windows 10 default wireless security.

Dustin,

You should be able to lock down both wired and wireless setting with GPO policies.  Becareful using the MAR cache on ISE it has caveats. 

In most of my installs the customer simply wants to ensure that the attaching device is a managed asset.  PEAP domain computer does that and is very straightforward.  They don't have any reason for differentiated user policies at the access switch level.

If there are needs to go to user level I lean towards EAP-TLS User Certs which for the most part should only arrive on domain joined devices via auto-enrollment.  Then I don't need to do any MAR checks.

I haven't done a ton of deployments, but are you saying the customer is unable to lock down their Windows Environment with GPO policies?

Highlighted
Contributor

Re: Windows 10 default wireless security.

ok, so the short answer to the story is we are trying to do everything with ISE.

Wireless:

We have 1 SSID for on domain, off domain laptops, macbooks, and also phones. Since we needed to differentiate if the PC was on/off domain AND if the user was in the allowed fg group for wireless access, we were/are using AnyConnect EAP Chaining to get both credentials. We think it was Aprils Win10 cumulative update that broke some AnyConnect installs. We were at 4.3.03 and tried to update to 4.4.02 and testing showed it fixing the issue. When we went to mass deploy, we ran into 10-20% of devices failed to update, or just the NAM component failing to install.(Currently working with TAC on this mess).

Even if we fix this round, we already know that the Win 10 creators update requires AnyConnect to be uninstalled before the update.

So, the only possibility of dropping the NAM part of AnyConnect is the use MAR to remember the machine online, and then when the user logs in to verify they have wireless access.

I'll have to see if the System group has a GPO set for the network. As far as I know, they don't have anything set, so was wondering why Win10 Was defaulting to machine only when a Win 7 on domain computer will send the user credentials.

As for EAP-TLS, they don't do user certs currently, so not much I can do about that right now. They want to use ISE to implement private vlans for wired now also.

Highlighted
VIP Advocate

Re: Windows 10 default wireless security.

Dustin,

What you are doing is common with wireless. You have multiple use case scenarios that need to connect to a secure SSID. I have done it 50+ times and it is the same discussion with almost every customer I talk to. Here is how I handle each of those use cases you mentioned:

1) Domain Joined Windows- PEAP domain computer

2) Macs- If they aren’t domain joined I ask them why not. Once they are domain joined you can configure them (much easier if they are using JAMF/Casper manage them) to present their AD computer credentials just like the Windows domain joined devices. If they don’t want to join them to the domain then we may look at allowing PEAP user credentials with a MAC address whitelist of allowed Macs. I have also installed certs on Macs as well as another option.

3) Personal Laptops- what is the use case here? Most times I allow PEAP users from personal devices but move them over to the guest network interface on the WLC to create a secure guest scenario. Employees love it because they can bring their own devices and IT likes it because they aren’t getting access to the internal network. If they have to get on the internal network you can do same type of thing, PEAP User with a whitelist or only a specific AD groups can only do this. I can’t remember the last customer I had that would allow a personal laptop on their secure internal network.

4) Mobile Devices- typically MDM enrolled and you can either use the cert pushed by the MDM or have the MDM push a cert to the phones from the internal CA. So corporate mobile devices would do EAP-TLS.

That is how I handle what you are trying to do. In 75+ installs I think I have had to use NAM once (customer already had it before I got involved) and have never had to use EAP chaining or MAR cache.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

View solution in original post

Highlighted
Contributor

Re: Windows 10 default wireless security.

This is what gets weird and complicated with what they are doing.

personal laptops are not allowed, we have a separate BYOD network for those.

we have domain, and non-domain company owned laptops. Basically, on-domain, you can't have admin rights to the system.

And, not all users are allowed wireless access, so can't just base it off the machine.

This is why we are using EAP Chaining with AnyConnect. I need to know if the laptop is on/off domain, and if the user has permission to use the wireless.