Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
528
Views
1
Helpful
3
Replies

WIndows 11 remote desktop fail if ISE exist.

Go to solution
Jero Cheng
Level 1
Level 1

‎10-19-2023 01:24 AM

Hello

My company deployed ISE for LAN network for staffs desktop PC.

But I found that Windows 11 PCs are unable to connect RDP. If ISE applied on that network port.

The network switch port have the below setting:

2023-10-19 15_58_31-Window.png

If a target Windows 10 PC connected to this network port.Then I connect RDP to this target PC from another PC, its working fine.

Test scenario:

1: Windows RDP ,click connect to target PC

2:It looks good,Windows login screen is showed.

3: The screen freeze about 10s,I think the re-authentication is in progress.

4:Connected.

If a target Windows 11 PC connected to this network port.Then I connect RDP to this target PC from another PC,its failed.

Test scenario:

1: Windows RDP ,click connect to target PC

2:It looks good,Windows login screen is showed.

3: But after about 15s,it disconnected.

4:The target PC totally disconnected from network.I must re-login the target PC locally to get back on to the network.

All our PC have same GPO and NIC setting.

I found that the ISE take almost 40-50s to pass the authentication. But the RDP timeout within 15s.I think that's why the RDP disconnected.

If I remove the switch port setting show above.the RDP is working fine no matter Win10/11.

I totally disabled the Windows 11 "credential guard " as someone said it will break the 802.1x authentication.But didn't help.

Does anyone have an idea about this?

Thanks a lot,have a nice day.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎10-19-2023 02:15 PM

See a similar discussion here. The Windows native supplicant will not provide this functionality, so you would need to use the Cisco Security Client (AnyConnect) Network Access Manager (NAM) module as the supplicant to support this RDP use case.

View solution in original post

3 Replies 3

Go to solution
Dustin Anderson
VIP
VIP

‎10-19-2023 07:12 AM

The big thing to take effect is to Windows, the RDP does not count as a login. You would need to see what ISE is showing for the port, but I would guess the ACL applied to the port may be blocking the RDP.

0 Helpful

Go to solution
Jero Cheng
Level 1
Level 1
In response to Dustin Anderson

‎10-24-2023 01:47 AM

Thanks your information.

But the test I mention above are using same network port.it make me headache.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎10-19-2023 02:15 PM

See a similar discussion here. The Windows native supplicant will not provide this functionality, so you would need to use the Cisco Security Client (AnyConnect) Network Access Manager (NAM) module as the supplicant to support this RDP use case.

Customers Also Viewed These Support Documents