Michael MardahlWindows 10 Credential Guard and Cisco ISE conflicts using PEAP.
If you have enabled credential guard in windows 10 and have a network security mechanism like Cisco ISE or just plain Enterprise WPA2 – then you will run into some issues if you have set your authentication method to PEAP (EAP-MSCHAPv2).
Credential Guard is a powerful security mechanism against Man-in-the-Middle attacks that have become more common with the rise of the Cryptolocker ransomware.
The service enables virtualization-based security by using the Windows Hypervisor to support security services on the device.
Microsoft makes this available to all their customers running Windows 10 on supported devices, and it is fairly simple to implement.
But it turns out that enabling the service will prevent the authentication supplicant in Windows 10 from sending the user’s credentials to the Cisco ISE RADIUS service (or ANY RADIUS server for that matter).
So if you have enabled Credential Guard in Windows 10 and have a network security mechanism like Cisco ISE or just plain Enterprise WPA2 – then you will run into issues if you have set your authentication method to PEAP (EAP-MSCHAPv2).
And you will notice a lot of entries in the Cisco ISE live authentications view, similar to this:
5440 Endpoint abandoned EAP session and started new
What to do?
Unfortunately, a fix from either Cisco or Microsoft does not seem available at the time of writing this, so switching over to a certificate or smart-card based authentication is the only option short of disabling Credential Guard.
I recommend using certificate-based authentication with User certificates, which can be distributed either through Group Policy or via Microsoft Intune.
And it might never get “fixed” since Credential Guard was developed to secure against tools like Mimikatz, which basically does the same thing as PEAP authentication – namely passing the users hashed credentials.
Let’s hope an alternative comes along in the future. As the PEAP option does provide some flexibility over using certificates, albeit being slower to authenticate.
Though I doubt it as this is the price of added security. And PEAP is not as safe as some might think.
That’s why I recommend using certificate-based authentication with User certificates, which can be distributed either through Group Policy or via Microsoft Intune, leveraging SCEP.
For those of you that are trying to find this info via google
Below is a sample of the steps that occur in Cisco ISE when the client tries to connect and fails:
Steps 11001 Received RADIUS Access-Request 11017 RADIUS created a new session 15049 Evaluating Policy Group 15008 Evaluating Service Selection Policy 15048 Queried PIP 15048 Queried PIP 15048 Queried PIP 15048 Queried PIP 15004 Matched rule 15048 Queried PIP 15048 Queried PIP 15004 Matched rule 11507 Extracted EAP-Response/Identity 12500 Prepared EAP-Request proposing EAP-TLS with challenge 12625 Valid EAP-Key-Name attribute received 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12301 Extracted EAP-Response/NAK requesting to use PEAP instead 12300 Prepared EAP-Request proposing PEAP with challenge 12625 Valid EAP-Key-Name attribute received 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated 12318 Successfully negotiated PEAP version 0 12800 Extracted first TLS record; TLS handshake started 12805 Extracted TLS ClientHello message 12806 Prepared TLS ServerHello message 12807 Prepared TLS Certificate message 12810 Prepared TLS ServerDone message 12305 Prepared EAP-Request with another PEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12304 Extracted EAP-Response containing PEAP challenge-response 12305 Prepared EAP-Request with another PEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12304 Extracted EAP-Response containing PEAP challenge-response 12305 Prepared EAP-Request with another PEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12304 Extracted EAP-Response containing PEAP challenge-response 12305 Prepared EAP-Request with another PEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12304 Extracted EAP-Response containing PEAP challenge-response 12318 Successfully negotiated PEAP version 0 12812 Extracted TLS ClientKeyExchange message 12804 Extracted TLS Finished message 12801 Prepared TLS ChangeCipherSpec message 12802 Prepared TLS Finished message 12816 TLS handshake succeeded 12310 PEAP full handshake finished successfully 12305 Prepared EAP-Request with another PEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12304 Extracted EAP-Response containing PEAP challenge-response 12313 PEAP inner method started 11521 Prepared EAP-Request/Identity for inner EAP method 12305 Prepared EAP-Request with another PEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12304 Extracted EAP-Response containing PEAP challenge-response 11522 Extracted EAP-Response/Identity for inner EAP method 11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 12305 Prepared EAP-Request with another PEAP challenge 11006 Returned RADIUS Access-Challenge (Step latency=” 1001 ms) 5440 Endpoint abandoned EAP session and started new
Note that this is not a bug!
It will affect any authentication using PEAP as this is the design of Credential Guard.
Conclusion
Please note that this is not a bug!
It will affect any authentication using PEAP as this is the design of Credential Guard – so you might want to consider this problem if you have other services that rely on PEAP, and experience issues after enabling Credential Guard.
Read more about this new security mechanism here:
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard
Nickolaj Andersen
Maurice Daly
Sandy Zeng
Add comment