The trouble with PEAP and Credential Guard

Credential Guard and Device Guard Illustration

Windows 10 Credential Guard and Cisco ISE conflicts using PEAP.

If you have enabled credential guard in windows 10 and have a network security mechanism like Cisco ISE or just plain Enterprise WPA2 - then you _will _run into some issues if you have set your authentication method to PEAP (EAP-MSCHAPv2).

It turns out that Credential Guard will prevent the authentication supplicant from sending the users credentials to the Cisco ISE RADIUS service (or ANY RADIUS server for that matter).

And you will notice a lot of entries in the ISE live authentications view, similar to this:

5440 Endpoint abandoned EAP session and started new

Unfortunately a fix does not seem available at the time of writing this, so switching over to a certificate or smart card based authentication is the only option short of disabling Credential Guard.

And it might never get fixed, since Credential Guard was developed to secure agains tools like Mimikatz, that basically does the same thing as PEAP authentication - namely passing the users hashed credentials.

Let’s hope an alternative comes along in the future, as the PEAP option does provide some flexibility over using certificates, albeit being slower to authenticate.
(Though I doubt it as this is the price of added security - and PEAP is not as safe as one might think. )


For those of you that are trying to find this info via google:

Below is a sample of the steps that occur in Cisco ISE when the client tries to connect and fails:

Steps
11001	Received RADIUS Access-Request
11017	RADIUS created a new session
15049	Evaluating Policy Group
15008	Evaluating Service Selection Policy
15048	Queried PIP
15048	Queried PIP
15048	Queried PIP
15048	Queried PIP
15004	Matched rule
15048	Queried PIP
15048	Queried PIP
15004	Matched rule
11507	Extracted EAP-Response/Identity
12500	Prepared EAP-Request proposing EAP-TLS with challenge
12625	Valid EAP-Key-Name attribute received
11006	Returned RADIUS Access-Challenge
11001	Received RADIUS Access-Request
11018	RADIUS is re-using an existing session
12301	Extracted EAP-Response/NAK requesting to use PEAP instead
12300	Prepared EAP-Request proposing PEAP with challenge
12625	Valid EAP-Key-Name attribute received
11006	Returned RADIUS Access-Challenge
11001	Received RADIUS Access-Request
11018	RADIUS is re-using an existing session
12302	Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318	Successfully negotiated PEAP version 0
12800	Extracted first TLS record; TLS handshake started
12805	Extracted TLS ClientHello message
12806	Prepared TLS ServerHello message
12807	Prepared TLS Certificate message
12810	Prepared TLS ServerDone message
12305	Prepared EAP-Request with another PEAP challenge
11006	Returned RADIUS Access-Challenge
11001	Received RADIUS Access-Request
11018	RADIUS is re-using an existing session
12304	Extracted EAP-Response containing PEAP challenge-response
12305	Prepared EAP-Request with another PEAP challenge
11006	Returned RADIUS Access-Challenge
11001	Received RADIUS Access-Request
11018	RADIUS is re-using an existing session
12304	Extracted EAP-Response containing PEAP challenge-response
12305	Prepared EAP-Request with another PEAP challenge
11006	Returned RADIUS Access-Challenge
11001	Received RADIUS Access-Request
11018	RADIUS is re-using an existing session
12304	Extracted EAP-Response containing PEAP challenge-response
12305	Prepared EAP-Request with another PEAP challenge
11006	Returned RADIUS Access-Challenge
11001	Received RADIUS Access-Request
11018	RADIUS is re-using an existing session
12304	Extracted EAP-Response containing PEAP challenge-response
12318	Successfully negotiated PEAP version 0
12812	Extracted TLS ClientKeyExchange message
12804	Extracted TLS Finished message
12801	Prepared TLS ChangeCipherSpec message
12802	Prepared TLS Finished message
12816	TLS handshake succeeded
12310	PEAP full handshake finished successfully
12305	Prepared EAP-Request with another PEAP challenge
11006	Returned RADIUS Access-Challenge
11001	Received RADIUS Access-Request
11018	RADIUS is re-using an existing session
12304	Extracted EAP-Response containing PEAP challenge-response
12313	PEAP inner method started
11521	Prepared EAP-Request/Identity for inner EAP method
12305	Prepared EAP-Request with another PEAP challenge
11006	Returned RADIUS Access-Challenge
11001	Received RADIUS Access-Request
11018	RADIUS is re-using an existing session
12304	Extracted EAP-Response containing PEAP challenge-response
11522	Extracted EAP-Response/Identity for inner EAP method
11806	Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305	Prepared EAP-Request with another PEAP challenge
11006	Returned RADIUS Access-Challenge (Step latency=” 1001 ms)
5440	Endpoint abandoned EAP session and started new

Note that this is not a bug - it will affect any authentication using PEAP as this is the design of Credential Guard.

Read more about this new security mechanism here:
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard

Michael Mardahl

Cloud Enabler - Microsoft Certified Professional

Ballerup, Denmark https://www.iphase.dk