Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1439
Views
8
Helpful
4
Replies

Windows 10 default wireless security.

Go to solution
Dustin Anderson
VIP
VIP

‎04-28-2017 11:36 AM

Greetings,

I'm trying to find if there is any setting in Windows 10 as to how it handles wireless security. You can change the authentication on the wired adapter, but not on the wireless. I found how to manually change it for a connection once it tries to connect, but want to set a default so users don't have to manually change it.

Basically, we are trying to get away from AnyConnect NAM due to too many issues with Windows 10. I can get everything to work using wasMachineAuthenticated calls, but Windows 10 is defaulting to machine credentials only and I need machine or user credentials.

1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to Dustin Anderson

‎04-28-2017 04:03 PM

Dustin,

What you are doing is common with wireless. You have multiple use case scenarios that need to connect to a secure SSID. I have done it 50+ times and it is the same discussion with almost every customer I talk to. Here is how I handle each of those use cases you mentioned:

1) Domain Joined Windows- PEAP domain computer

2) Macs- If they aren’t domain joined I ask them why not. Once they are domain joined you can configure them (much easier if they are using JAMF/Casper manage them) to present their AD computer credentials just like the Windows domain joined devices. If they don’t want to join them to the domain then we may look at allowing PEAP user credentials with a MAC address whitelist of allowed Macs. I have also installed certs on Macs as well as another option.

3) Personal Laptops- what is the use case here? Most times I allow PEAP users from personal devices but move them over to the guest network interface on the WLC to create a secure guest scenario. Employees love it because they can bring their own devices and IT likes it because they aren’t getting access to the internal network. If they have to get on the internal network you can do same type of thing, PEAP User with a whitelist or only a specific AD groups can only do this. I can’t remember the last customer I had that would allow a personal laptop on their secure internal network.

4) Mobile Devices- typically MDM enrolled and you can either use the cert pushed by the MDM or have the MDM push a cert to the phones from the internal CA. So corporate mobile devices would do EAP-TLS.

That is how I handle what you are trying to do. In 75+ installs I think I have had to use NAM once (customer already had it before I got involved) and have never had to use EAP chaining or MAR cache.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

View solution in original post

4 Replies 4

Go to solution
paul
Level 10
Level 10

‎04-28-2017 11:43 AM

Dustin,

You should be able to lock down both wired and wireless setting with GPO policies.  Becareful using the MAR cache on ISE it has caveats. 

In most of my installs the customer simply wants to ensure that the attaching device is a managed asset.  PEAP domain computer does that and is very straightforward.  They don't have any reason for differentiated user policies at the access switch level.

If there are needs to go to user level I lean towards EAP-TLS User Certs which for the most part should only arrive on domain joined devices via auto-enrollment.  Then I don't need to do any MAR checks.

I haven't done a ton of deployments, but are you saying the customer is unable to lock down their Windows Environment with GPO policies?

Go to solution
Dustin Anderson
VIP
VIP
In response to paul

‎04-28-2017 03:05 PM

ok, so the short answer to the story is we are trying to do everything with ISE.

Wireless:

We have 1 SSID for on domain, off domain laptops, macbooks, and also phones. Since we needed to differentiate if the PC was on/off domain AND if the user was in the allowed fg group for wireless access, we were/are using AnyConnect EAP Chaining to get both credentials. We think it was Aprils Win10 cumulative update that broke some AnyConnect installs. We were at 4.3.03 and tried to update to 4.4.02 and testing showed it fixing the issue. When we went to mass deploy, we ran into 10-20% of devices failed to update, or just the NAM component failing to install.(Currently working with TAC on this mess).

Even if we fix this round, we already know that the Win 10 creators update requires AnyConnect to be uninstalled before the update.

So, the only possibility of dropping the NAM part of AnyConnect is the use MAR to remember the machine online, and then when the user logs in to verify they have wireless access.

I'll have to see if the System group has a GPO set for the network. As far as I know, they don't have anything set, so was wondering why Win10 Was defaulting to machine only when a Win 7 on domain computer will send the user credentials.

As for EAP-TLS, they don't do user certs currently, so not much I can do about that right now. They want to use ISE to implement private vlans for wired now also.

Go to solution
paul
Level 10
Level 10
In response to Dustin Anderson

‎04-28-2017 04:03 PM

Dustin,

What you are doing is common with wireless. You have multiple use case scenarios that need to connect to a secure SSID. I have done it 50+ times and it is the same discussion with almost every customer I talk to. Here is how I handle each of those use cases you mentioned:

1) Domain Joined Windows- PEAP domain computer

2) Macs- If they aren’t domain joined I ask them why not. Once they are domain joined you can configure them (much easier if they are using JAMF/Casper manage them) to present their AD computer credentials just like the Windows domain joined devices. If they don’t want to join them to the domain then we may look at allowing PEAP user credentials with a MAC address whitelist of allowed Macs. I have also installed certs on Macs as well as another option.

3) Personal Laptops- what is the use case here? Most times I allow PEAP users from personal devices but move them over to the guest network interface on the WLC to create a secure guest scenario. Employees love it because they can bring their own devices and IT likes it because they aren’t getting access to the internal network. If they have to get on the internal network you can do same type of thing, PEAP User with a whitelist or only a specific AD groups can only do this. I can’t remember the last customer I had that would allow a personal laptop on their secure internal network.

4) Mobile Devices- typically MDM enrolled and you can either use the cert pushed by the MDM or have the MDM push a cert to the phones from the internal CA. So corporate mobile devices would do EAP-TLS.

That is how I handle what you are trying to do. In 75+ installs I think I have had to use NAM once (customer already had it before I got involved) and have never had to use EAP chaining or MAR cache.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Go to solution
Dustin Anderson
VIP
VIP
In response to paul

‎05-01-2017 03:27 PM

This is what gets weird and complicated with what they are doing.

personal laptops are not allowed, we have a separate BYOD network for those.

we have domain, and non-domain company owned laptops. Basically, on-domain, you can't have admin rights to the system.

And, not all users are allowed wireless access, so can't just base it off the machine.

This is why we are using EAP Chaining with AnyConnect. I need to know if the laptop is on/off domain, and if the user has permission to use the wireless.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents