Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10643
Views
16
Helpful
3
Replies

WINDOWS 10 MACHINE AUTHENTICATION WITH ANYCONNECT NAM

Go to solution
kajibola
Level 1
Level 1

‎09-19-2017 06:07 AM

I am deploying ISE 2.2 for a client and we are using AnyConnect NAM for both machine and user authentication. Unfortunately we hit this bug: CSCuw01496

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw01496/?referring_site=bugquickviewredir

The Microsoft support KB is no longer available on Microsoft site.

The available solution was to do the following:

  1. Navigate in Regedit to HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa.
  2. Add a new DWORD(32-bit) Value.
  3. Type LsaAllowReturningUnencryptedSecrets, and then press Enter.
  4. Right-click LsaAllowReturningUnencryptedSecrets, click Modify….
  5. Type 1 in the Value data box, and then click OK.

The registry edit worked but the customer don't want to do registry edit.

Is there no other way around this bug apart from registry edit?

2 people had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-20-2017 11:28 AM

The other workaround, if applicable, is to use certificate auth instead of passwords.

View solution in original post

3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-20-2017 11:28 AM

The other workaround, if applicable, is to use certificate auth instead of passwords.

Go to solution
AsimGuliyev21903
Level 1
Level 1
In response to hslai

‎05-21-2020 12:46 AM

Could you please provide a little bit detailed info why it does not work ?
0 Helpful

Go to solution
mumustha
Cisco Employee
Cisco Employee
In response to hslai

‎10-28-2020 07:31 PM

Microsoft support has informed that making this change will effectively make a hole in protecting the credentials.

 

Stated, :"kindly be informed that create and change registry key LsaAllowReturningUnencryptedSecrets to 1 will opens a hole in credential protection to allow application compatibility so applications (and yes attackers) can extract device secrets in clear text. This behavior is by design and improves protection of the LSA secret. Therefore we need to make it clear that they are opening a credential theft vector. Organizations concerned about credential theft attacks also known as pass-the-hash attacks, should understand that deploying this registry key makes it easy for attackers to steal the domain-joined device's clear-text password. "

 

 

Apart from using the machine certificate, do we have an alternative? 

0 Helpful
Customers Also Viewed These Support Documents