Hello,

Yes, there is a reason to integrate LAPS with ISE.  A LAPS user (local admin) needs a way to authenticate through 802.1x to pass through and gain wireless connection to 802.1x based wireless connections.  Today, when a local user logs in to a domain computer, and with the dual auth (computer and user) profile enabled in ISE, that computer loses connection to the 802.1x based wireless network, because there is not a way to introduce that LAPS user into ISE with the randomized password.

Thanks,

Hi,

    On the Windows side, the random generated password is stored in the AD schema as an attribute to the computer object, so the ISE implementation for LAPS could be challenging.

    What you can do is the following:

          - Use a GPO so that when LAPS is being used, 802.1x is using computer only authentication, and have an appropriate ISE authorization profile with needed but restricted network access (regular users should never match this, as the GPO forces computer and user authentication in the 802.1x native supplicant profile and they can't modify it)

          - Use a GPO so that when LAPS is being used, 802.1x is using both computer and user based authentication, use EAP-TLS and have a certificate in the LAPS user's profile that has something different than regular user certificates, and use it as condition in your ISE authorization profile

Regards,

Cristian Matei.

Thanks for the quick response.

Do you have some example links that explain the GPO part of both cases.  I did a bit of search and the results were general and didn't pertain to this specific case.

Thanks again!

Hi,

   Here's  astep-by-step example for the GPO part.

 https://www.raydbg.com/2017/How-to-Configure-Wired-Authentication-Settings-via-GPO/

Regards,

Cristian Matei.

Hi,

I have the same requirement in a NAM environment. Is it possible to do this ?.

Thanks and Regards

Shabeeb

Hi,

   If you're speaking about using the NAM module of AnyConnect, yes you can achieve the options i highlighted above, by using NAM profiles.

Regards,

Cristian Matei.

Hi,

We already have NAM profile for wired and wireless setup for our users. The profiles are using EAP-FAST so that we can do EAP-Chaining for our users. The LAPS is used by the user support personnel to access the machines remotely in case of any issues reported and they need to have local admin privileges on the machine. My question is that without altering the current setup of EAP-Chaining is there any way that we can have the LAPS setup accommodated only for the local admin account?.

If I configure two wired profiles in Anyconnect NAM, which profile it will use when it detects a network connection?. Is there any conditions I can write in the NAM profile (using profile editor) itself so that it can choose specific profile based on the condition?.

Thanks

Shabeeb

Thanks and Regards

Hi,

    While using EAP-FAST and EAP-Chaining, if your inner method is EAP-TLS, you can achieve the same thing, have your LAPS accounts be provisioned with a certificate  which has a unique filed that you can match in your ISE policies. (long lifetime cause you're gonna rarely use this account on all devices, and you don't want it to expire, so when the LAPS connects it is not allowed network access). This one different field in the certificate is required only if you want a different authorization to be pushed from ISE for the LAPS users. We have a problem with the LAPS password not being able to be validated by ISE, thus we don't use EAP-MSCHAPv2 as the inner method, but use EAP-TLS as the inner method.

Regards,

Cristian Matei.