Re: Cisco ISE and RDP connection via Wireless network

agipkcoat · ‎07-15-2019

Hi everyone.

We've faced with an interesting behavior of RDP on our corporate workstations.

PC is connected to corporate wireless network and authenticated through Cisco ISE using Cisco AnyConnect NAM = EAP-FAST (MSCHAPv2 for user + EAP-TLS for Workstation).

When the workstation is powered on and authenticates computer's session we can see that workstation is authenticated and available in our network. When remote user tries to connect via RDP on that workstation, it requires to type user’s credentials two times. When the user enters his credentials on login screen, windows accepts it but connection fails.

From the ISE perspective I can see that user established it's session, but windows PC drops his session and sign it out.

#ISE #AnyConnect #RDP

Mike.Cifelli · ‎07-15-2019

Not sure if this relates to your issue that you are facing. However, something to keep in mind when using NAM:
Upon installation of NAM it will restrict logon to a single user. You can fix this via the following reg hack:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}

To configure single or multiple user logon, add a DWORD named EnforceSingleLogon (this should already be there), and give it a value of 1 or 0.

1 restricts logon to a single user.

0 allows multiple users to be logged on.

HTH!

agipkcoat · ‎07-15-2019

Hi Mike.

Thanks for your reply.

As I know this registry key affects only on multi session and allows to simultaneously login more than one active user's sessions.

Anyway, I've already tried to use this solution but it not helps. Even if no one user's sessions are established we cannot login via RDP.

stsargen · ‎07-15-2019

This sounds like an issue that has recently come up with Windows firewall quarantining the interface after the remote user logs in. If you disable Windows firewall do you have the same issue? Also, do you have the same issue if you locally logon to the remote machien and then establish an RDP session to it?

agipkcoat · ‎07-15-2019

Windows firewall is disabled for domain networks in our case.

In case if I'll establish my session locally and trying to login to the same session remotely - RDP session establishes successfully.

stsargen · ‎07-16-2019

Please try disabling the firewall completely. From what we have seen the issue is from Windows quarantining the interface until it can decide what firewall policy needs to be applied. Disabling completely will confirm the issue is the same.

agipkcoat · ‎07-17-2019

Looks like disabling of Windows Defender completely works and I can establish RDP session.

But I also noticed that in time when user enters his credentials I can see a couple packets loss. It happens only if workstation is connected via wireless network which works through ISE server with dot1x auth.

And if it is connected to another wireless network which is works without dot1x authentication I also can establish RDP session.

stsargen · ‎07-17-2019

Since you have confirmed that disabling the Windows firewall complete resolves the issue, you can try using this workaround that disables the quarantine functionality of the windows firewall. Keep in mind that this workaround can potentially open you up to certain vulnerabilities.

1. In Registry Editor, locate the following registry subkey: HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy
2. Right-click the FirewallPolicy registry subkey, point to New, and then click DWORD (32-bit) Value.
3. Rename the new registry entry to IntfQuarantineEnabled and set the value to 0.
4. Restart the machine is required

Thanks,

Steve S.

Nameless-IT · ‎07-11-2020

Actually I just faced the same problem today. Still investigating.

Here is my thought process.

It is very common implementation to set a default VLAN (Ex: VLAN 10) for all devices that connect to your network.

This VLAN is reachable via AD and ISE , so that it could perform authentication.

Then User logs in.

According to your Authorization Policy the VLAN will change.

Ex. When User XX logs in with his credentials --> Assign him to VLAN 20

Can you guess what is gonna happen next?

Get a new IP address from subnet bound to VLAN 20

I think here is the problem.

the IP you connected to changes because the user authenticated , thus the connection was lost.

Theoretically (haven't tried it yet) after losing connection, you should be able to connect again to the new IP.

Summary:

PC (initial state)---> IP address 10.1.10.50/24

PC (After User XX logs in) --> IP address 10.1.20.50/24

thus connection is lost to 10.1.10.50 because it changed.