cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

8799
Views
6
Helpful
10
Replies
ggriesse@cisco.com
Cisco Employee

windows 10 credential Guard issue

Hi all

Customer with predominately windows 10 install base .., current Auth schema is EAP-MSCHAPv2

Their standard policy requires Credential Guard to be on by default on the win 10 desktops , from what i have found this seems to disable the ability to use EAP-MSCHAv2 and forces EAP-TLS ...


Other than disabling Credential Guard , is there a way to get this to work ?


This article explains the issue : http://www.iphase.dk/2017/08/14/windows-10-credential-guard-and-cisco-ise-conflicts/

More : http://www.neighborgeek.net/2016/08/windows-10-credential-guard-breaks-wifi.html

Thx

Greg

1 ACCEPTED SOLUTION

Accepted Solutions

I think it will depend where the credentials are stored. If fetched from Windows store, then expect same challenge as native supplicant with PEAP-EAP-MSCHAPv2.

Regarding "So Disabling Credential guard is probably out for the customer .. the see it as a risk", make sure customer understands this is NOT a Cisco ISE limitation but due to security feature that impacts Microsoft's own native supplicant.  Certainly the more common workaround for customers wishing to keep Credential Guard is to implement EAP-TLS with certs.

View solution in original post

10 REPLIES 10
nir-r
Enthusiast

1.      Disable Credential Guard

On the host operating system, click Start > Run, type gpedit.msc, and click Ok. The Local group Policy Editor opens.

Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security.

Select Disabled.

2.      Use AnyConnect NAM instead of Windows 10  802.1x supplicant

Ok

So Disabling Credential guard is probably out for the customer .. the see it as a risk

If we go with Anyconnect NAM will it allow Eap-MSchapv2 EVEN with CG enabled on OS ?

You cannot do EAP-PEAP with Credential Guard enabled.  We have a growing Windows10 implementation, and have switched to using machine/user certificates for authentication using EAP-TLS.

I do not believe NAM able to use password-based auth under the circumstance.

It is working for me with EAP-FAST (EAP-MSCHAPv2)

I think it will depend where the credentials are stored. If fetched from Windows store, then expect same challenge as native supplicant with PEAP-EAP-MSCHAPv2.

Regarding "So Disabling Credential guard is probably out for the customer .. the see it as a risk", make sure customer understands this is NOT a Cisco ISE limitation but due to security feature that impacts Microsoft's own native supplicant.  Certainly the more common workaround for customers wishing to keep Credential Guard is to implement EAP-TLS with certs.

View solution in original post

This was my experience.   EAP-PEAP with MSCHAPv2 is right out.  EAP-TLS with machine/user certs was the only manageable method.  I will note we use the native supplicant and not NAM. 

Thanks Craig for the response, my only concern moving to EAP-TLS is using computer + user certificates

how can you provision user certs when first logon on the computer ?

we would like to have user certs for user based auth (like using anyconnect ISE posture)

 

- pre-provisionning user certs is not possible before user logs in

- when using "shared" computers with each person login => then this "first logon" use case will be very common, and should not force to have a special process to get user cert on computer.

 

1/ Does Anyconnect NAM have some advantages over microsoft native supplicant for this particular issue ?

2/ What does Cisco recommend as workaround to microsoft "credential guard" feature (which i understand is not Cisco's responsability), do you have a "straight" response to that issue customers are facing ?

 

Thanks

Guillaume

 

 

I recommend a posting in the anyconnect community

hello Guill

in case it's still actual for u, just fallback to "Microsoft: SmartCard or other blah-blah" on the client. It will effectively turn PC to request EAP-TLS-only authentication. Meantime configuring ISE for EAP-TLS only is quite straitforward.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel