locked
Machine authentication on Windows 10 without using Cisco ISE or similar solutions RRS feed

  • 質問

  • Hi,

    As we know, NAP service or agent is not included on windows 10. Prior to it (on windows 7) we used NAP and NPS to control and prevent non joined computers to get access to network. With windows 10 this is not an option and I don't like to get involved with complexity and costs of Cisco ISE and solutions like that. Is there anyway for this to be done using methods like certificates or so?

    P.S.

    MAC filtering and security, DHCP or solutions like that are not acceptable cause we cannot wholly prevent people bringing their own devices to work (So they can change their MAC, use static IP's , etc.)

    We use Windows 2016 AD domain, Windows 10 clients and Cisco devices if it helps.

    Thanks

    2020年7月23日 13:14

回答

  •  

    Problem solved

    https://community.cisco.com/t5/network-access-control/machine-authentication-on-windows-10-without-using-cisco-ise-or/m-p/4127552/highlight/false#M561982

    Although there are still so many problems and imperfections but starting the service (Which I wonder why is not in automatic state by default) I was able to prevent non corporate machines from gaining access to the network.

     

    There are still issues like this which may be related to Cisco switch or NPS configuration:

     

    - Computer and then User authentication not working, (Both in the order mentioned)

    - Computer information is sent as null. The user id is sent as the computer name

    - Can't figure out a way to allow the non corporate computers to gain access and then decide about them based on different criteria (even when no preventive policy is set against a port. For instance, when I just set the rule to "Ethernet on the switch port side device or a simple day time restriction which is always true) 

     

    Regards,

    • 回答としてマーク Mo.Gan 2020年7月31日 15:10
    2020年7月31日 15:09

すべての返信

  • Yes you can use NPS to perform machine authentication for Windows machines. Is this for Wi-Fi or switch port authentication? I have just completed setting this up for Wi-Fi with Meraki WAPs. Now I'm trying to get this to work for a handful of Macbooks.
    2020年7月23日 22:17
  • Yes you can use NPS to perform machine authentication for Windows machines. Is this for Wi-Fi or switch port authentication? I have just completed setting this up for Wi-Fi with Meraki WAPs. Now I'm trying to get this to work for a handful of Macbooks.

    Hi,

    I am using NPS but it works with windows 7 not 10 (because of the problem I mentioned). I need Wired (switch port authentication) and even dynamic VLAN assignment is not in my mind.

    I think what you've implemented is user based authentication. What I need is this:

    When a non-corporate (not joined to domain) computer plugs into the Cisco switch, the port should not be up. A case scenario: the valid users are just allowed to use the corporate systems and PC's. There may be cases a user brings his/her own device such as a laptop, plugs in into the network, enters his/her legitimate credentials, gets access, copies files to the laptop and leaves the company with those data that should not be taken away.

    This is why we need windows 10 systems to be checked and gets their switch ports up and running just if the system is a part of the domain.

    Thanks.

    2020年7月24日 5:26
  • You are correct NPS is not a service you install on Windows 10. It is a role that is installed on Microsoft Server and can act like a RADIUS server. I have this working in my environment using machine authentication based on the 'Domain Computers' group in AD. I created a GPO that pushes out the WPA2 Enterprise Wi-Fi profile to our domain computers so that when it is in range of the SSID it will connect to it, even before a person logs in to the computer. This will work for switches too as long as they can support 802.1X. Also the NPS server will require a certificate if you use PEAP (either from a Certificate Authority (CA) of yours or a 3rd party CA).
    2020年7月24日 13:55
  • You are correct NPS is not a service you install on Windows 10. It is a role that is installed on Microsoft Server and can act like a RADIUS server. I have this working in my environment using machine authentication based on the 'Domain Computers' group in AD. I created a GPO that pushes out the WPA2 Enterprise Wi-Fi profile to our domain computers so that when it is in range of the SSID it will connect to it, even before a person logs in to the computer. This will work for switches too as long as they can support 802.1X. Also the NPS server will require a certificate if you use PEAP (either from a Certificate Authority (CA) of yours or a 3rd party CA).

    Thanks but we are talking about two different things. To make it clear, will you please answer this:

    Is it possible to make windows 10 clients access the switch port only if the machine is a domain joined one? (by just using PKI and a RADIUS like NPS and native supplicant agents on windows 10)

    I think that's not possible because the agent doing this on a windows machine has been removed in windows 10.

    I'll be glad if I can have your and the others' idea and experiences about this.

    Thanks

    2020年7月24日 19:46
  • To be clear ... yes it is possible.

    1. Network Policy Server (NPS) works the same for switches as it does for Wi-Fi. 

    2. You do not need any agent to accomplish this task.

    2020年7月24日 20:32
  • My experience says it's ok on win7 (I've done that) but because of lacking nap agent on win10, not possible there. But I'll give it another try and let you know the outcome. Meanwhile it's so kind of you if you can check it on your existing implementation and by this I mean : wired authentication using .1x on win10 for preventing non domain computers to access the switch port and the network. Many thanks
    2020年7月24日 21:35
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.                   

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    2020年7月29日 7:30
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.                   

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    I'm setting up a lab and will update this thread. User auth is easy to achieve but computer information seems not to be sent.
    2020年7月29日 16:44
  • We will wait for your new updates.

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    2020年7月30日 1:39
  • Are you following a guide or walk through? If so which one?
    2020年7月30日 19:18
  •  

    Problem solved

    https://community.cisco.com/t5/network-access-control/machine-authentication-on-windows-10-without-using-cisco-ise-or/m-p/4127552/highlight/false#M561982

    Although there are still so many problems and imperfections but starting the service (Which I wonder why is not in automatic state by default) I was able to prevent non corporate machines from gaining access to the network.

     

    There are still issues like this which may be related to Cisco switch or NPS configuration:

     

    - Computer and then User authentication not working, (Both in the order mentioned)

    - Computer information is sent as null. The user id is sent as the computer name

    - Can't figure out a way to allow the non corporate computers to gain access and then decide about them based on different criteria (even when no preventive policy is set against a port. For instance, when I just set the rule to "Ethernet on the switch port side device or a simple day time restriction which is always true) 

     

    Regards,

    • 回答としてマーク Mo.Gan 2020年7月31日 15:10
    2020年7月31日 15:09