Windows 10 Credential Guard and Cisco ISE conflicts using PEAP.

If you have enabled credential guard in windows 10 and have Cisco ISE as your network security mechanism, then you will run into some issues if you have set your authentication method to PEAP (EAP-MSCHAPv2).

It turns out that Credential Guard will prevent the authentication supplicant from sending the users credentials to the Cisco ISE RADIUS service (or ANY RADIUS server for that matter).

And you will notice a lot of entries in the ISE live authentications view, similar to this:

5440 Endpoint abandoned EAP session and started new

Unfortunately a fix does not seem available at the time of writing this, so switching over to a certificate or smart card based authentication is the only option short of disabling Credential Guard.

Let’s hope this changes in the future as the PEAP option does provide some flexibility over using certificates, albeit being slower to authenticate.
Though I doubt it as this is the price of added security, and PEAP is not as safe as one might think.

Below is a sample of the steps that occur in ISE when the client tries to connect and fails:

Steps

11001Received RADIUS Access-Request
11017RADIUS created a new session
15049Evaluating Policy Group
15008Evaluating Service Selection Policy
15048Queried PIP
15048Queried PIP
15048Queried PIP
15048Queried PIP
15004Matched rule
15048Queried PIP
15048Queried PIP
15004Matched rule
11507Extracted EAP-Response/Identity
12500Prepared EAP-Request proposing EAP-TLS with challenge
12625Valid EAP-Key-Name attribute received
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12301Extracted EAP-Response/NAK requesting to use PEAP instead
12300Prepared EAP-Request proposing PEAP with challenge
12625Valid EAP-Key-Name attribute received
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12302Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318Successfully negotiated PEAP version 0
12800Extracted first TLS record; TLS handshake started
12805Extracted TLS ClientHello message
12806Prepared TLS ServerHello message
12807Prepared TLS Certificate message
12810Prepared TLS ServerDone message
12305Prepared EAP-Request with another PEAP challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12304Extracted EAP-Response containing PEAP challenge-response
12305Prepared EAP-Request with another PEAP challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12304Extracted EAP-Response containing PEAP challenge-response
12305Prepared EAP-Request with another PEAP challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12304Extracted EAP-Response containing PEAP challenge-response
12305Prepared EAP-Request with another PEAP challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12304Extracted EAP-Response containing PEAP challenge-response
12318Successfully negotiated PEAP version 0
12812Extracted TLS ClientKeyExchange message
12804Extracted TLS Finished message
12801Prepared TLS ChangeCipherSpec message
12802Prepared TLS Finished message
12816TLS handshake succeeded
12310PEAP full handshake finished successfully
12305Prepared EAP-Request with another PEAP challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12304Extracted EAP-Response containing PEAP challenge-response
12313PEAP inner method started
11521Prepared EAP-Request/Identity for inner EAP method
12305Prepared EAP-Request with another PEAP challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12304Extracted EAP-Response containing PEAP challenge-response
11522Extracted EAP-Response/Identity for inner EAP method
11806Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305Prepared EAP-Request with another PEAP challenge
11006Returned RADIUS Access-Challenge (Step latency=” 1001 ms)
5440Endpoint abandoned EAP session and started new

 

Note that this “bug” will affect any authentication using PEAP as this is the design of Credential Guard.

Read more about this new security mechanism here: https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard

Leave a Reply

Your email address will not be published. Required fields are marked *