05-14-2018 12:11 AM
Hi all
Customer with predominately windows 10 install base .., current Auth schema is EAP-MSCHAPv2
Their standard policy requires Credential Guard to be on by default on the win 10 desktops , from what i have found this seems to disable the ability to use EAP-MSCHAv2 and forces EAP-TLS ...
Other than disabling Credential Guard , is there a way to get this to work ?
This article explains the issue : http://www.iphase.dk/2017/08/14/windows-10-credential-guard-and-cisco-ise-conflicts/
More : http://www.neighborgeek.net/2016/08/windows-10-credential-guard-breaks-wifi.html
Thx
Greg
Solved! Go to Solution.
05-14-2018 02:05 PM
I think it will depend where the credentials are stored. If fetched from Windows store, then expect same challenge as native supplicant with PEAP-EAP-MSCHAPv2.
Regarding "So Disabling Credential guard is probably out for the customer .. the see it as a risk", make sure customer understands this is NOT a Cisco ISE limitation but due to security feature that impacts Microsoft's own native supplicant. Certainly the more common workaround for customers wishing to keep Credential Guard is to implement EAP-TLS with certs.
05-14-2018 01:20 AM
1. Disable Credential Guard
On the host operating system, click Start > Run, type gpedit.msc, and click Ok. The Local group Policy Editor opens.
Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security.
Select Disabled.
2. Use AnyConnect NAM instead of Windows 10 802.1x supplicant
05-14-2018 07:26 AM
Ok
So Disabling Credential guard is probably out for the customer .. the see it as a risk
If we go with Anyconnect NAM will it allow Eap-MSchapv2 EVEN with CG enabled on OS ?
05-14-2018 07:45 AM
You cannot do EAP-PEAP with Credential Guard enabled. We have a growing Windows10 implementation, and have switched to using machine/user certificates for authentication using EAP-TLS.
05-14-2018 07:46 AM
I do not believe NAM able to use password-based auth under the circumstance.
05-14-2018 08:05 AM
05-14-2018 02:05 PM
I think it will depend where the credentials are stored. If fetched from Windows store, then expect same challenge as native supplicant with PEAP-EAP-MSCHAPv2.
Regarding "So Disabling Credential guard is probably out for the customer .. the see it as a risk", make sure customer understands this is NOT a Cisco ISE limitation but due to security feature that impacts Microsoft's own native supplicant. Certainly the more common workaround for customers wishing to keep Credential Guard is to implement EAP-TLS with certs.
05-14-2018 02:59 PM
This was my experience. EAP-PEAP with MSCHAPv2 is right out. EAP-TLS with machine/user certs was the only manageable method. I will note we use the native supplicant and not NAM.
04-03-2019 12:05 AM
Thanks Craig for the response, my only concern moving to EAP-TLS is using computer + user certificates
how can you provision user certs when first logon on the computer ?
we would like to have user certs for user based auth (like using anyconnect ISE posture)
- pre-provisionning user certs is not possible before user logs in
- when using "shared" computers with each person login => then this "first logon" use case will be very common, and should not force to have a special process to get user cert on computer.
1/ Does Anyconnect NAM have some advantages over microsoft native supplicant for this particular issue ?
2/ What does Cisco recommend as workaround to microsoft "credential guard" feature (which i understand is not Cisco's responsability), do you have a "straight" response to that issue customers are facing ?
Thanks
Guillaume
04-03-2019 06:56 AM
04-09-2019 09:11 AM - edited 04-09-2019 09:24 AM
hello Guill
in case it's still actual for u, just fallback to "Microsoft: SmartCard or other blah-blah" on the client. It will effectively turn PC to request EAP-TLS-only authentication. Meantime configuring ISE for EAP-TLS only is quite straitforward.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide