Security

Howdy,

We are currently running Windows 10 and using CPPM to perform 802.1X on our WIRED ports for both user and computer accounts. The access switch is a 6300M. Our Windows 10 clients are using EAP-PEAP, EAP-MSCHAPv2. 

In testing Windows 11 we have found that this no longer works and are forced to change to a more secure and modern method of EAP-TLS.

We have created a test service to only use EAP-TLS in CPPM and manually added the test Windows 11 machine to the policy and everything works as it should.

The challenge we are facing, and can't seem to find a solution, is how we can target this policy to only Windows 11 machines we are replacing as we don't want to change the Windows 10 machines. Was hoping to use an AD group attribute, but don't see that as an option. Does anyone have any ideas?

Thanks in advance

Use static host list to enlist all the Win11 machines MAC address and create separate policy based on EAP-TLS

Use Connection:Client-Mac-Address BELONGS_TO_GROUP [Static Host List group]

Howdy,

We are currently running Windows 10 and using CPPM to perform 802.1X on our WIRED ports for both user and computer accounts. The access switch is a 6300M. Our Windows 10 clients are using EAP-PEAP, EAP-MSCHAPv2. 

In testing Windows 11 we have found that this no longer works and are forced to change to a more secure and modern method of EAP-TLS.

We have created a test service to only use EAP-TLS in CPPM and manually added the test Windows 11 machine to the policy and everything works as it should.

The challenge we are facing, and can't seem to find a solution, is how we can target this policy to only Windows 11 machines we are replacing as we don't want to change the Windows 10 machines. Was hoping to use an AD group attribute, but don't see that as an option. Does anyone have any ideas?

Thanks in advance

Howdy,

We are currently running Windows 10 and using CPPM to perform 802.1X on our WIRED ports for both user and computer accounts. The access switch is a 6300M. Our Windows 10 clients are using EAP-PEAP, EAP-MSCHAPv2. 

In testing Windows 11 we have found that this no longer works and are forced to change to a more secure and modern method of EAP-TLS.

We have created a test service to only use EAP-TLS in CPPM and manually added the test Windows 11 machine to the policy and everything works as it should.

The challenge we are facing, and can't seem to find a solution, is how we can target this policy to only Windows 11 machines we are replacing as we don't want to change the Windows 10 machines. Was hoping to use an AD group attribute, but don't see that as an option. Does anyone have any ideas?

Thanks in advance

Hi

As mentioned the static host list will for sure work, but the static hosts lists are mostly left in ClearPass due to backward compatibility. The user interface for the static host list is quite user unfriendly, in my opinion. The entries are added in cronological order and it's not possible to search in the list.

Why not have both EAP-PEAP and EAP-TLS in the same service? Eventually you need to modify the AD search query to search for both sAmAccountName and UPN, but if the only difference is the authentication method I would recommend having only one service.

The reason why you can't utilize an AD attribute is that the AD information is read after the actual authentication has taken place. You can also add a custom attribute to the Endpoints repository if you would like to have two services. Endpoints repository is searchable but depending on your administrative delegation of rights the static host list can be a better option if you need to delegate the right to add MAC addresses to a person who is not familiar with ClearPass and you would like to limit the damage they can do.

Howdy,

We are currently running Windows 10 and using CPPM to perform 802.1X on our WIRED ports for both user and computer accounts. The access switch is a 6300M. Our Windows 10 clients are using EAP-PEAP, EAP-MSCHAPv2. 

In testing Windows 11 we have found that this no longer works and are forced to change to a more secure and modern method of EAP-TLS.

We have created a test service to only use EAP-TLS in CPPM and manually added the test Windows 11 machine to the policy and everything works as it should.

The challenge we are facing, and can't seem to find a solution, is how we can target this policy to only Windows 11 machines we are replacing as we don't want to change the Windows 10 machines. Was hoping to use an AD group attribute, but don't see that as an option. Does anyone have any ideas?

Thanks in advance

I will need to also change GPO options when switching to EAP-TLS. I didn't want to mess with anything the way it is now. Was hoping to have both operating in parallel.

Hi

As mentioned the static host list will for sure work, but the static hosts lists are mostly left in ClearPass due to backward compatibility. The user interface for the static host list is quite user unfriendly, in my opinion. The entries are added in cronological order and it's not possible to search in the list.

Why not have both EAP-PEAP and EAP-TLS in the same service? Eventually you need to modify the AD search query to search for both sAmAccountName and UPN, but if the only difference is the authentication method I would recommend having only one service.

The reason why you can't utilize an AD attribute is that the AD information is read after the actual authentication has taken place. You can also add a custom attribute to the Endpoints repository if you would like to have two services. Endpoints repository is searchable but depending on your administrative delegation of rights the static host list can be a better option if you need to delegate the right to add MAC addresses to a person who is not familiar with ClearPass and you would like to limit the damage they can do.

Howdy,

We are currently running Windows 10 and using CPPM to perform 802.1X on our WIRED ports for both user and computer accounts. The access switch is a 6300M. Our Windows 10 clients are using EAP-PEAP, EAP-MSCHAPv2. 

In testing Windows 11 we have found that this no longer works and are forced to change to a more secure and modern method of EAP-TLS.

We have created a test service to only use EAP-TLS in CPPM and manually added the test Windows 11 machine to the policy and everything works as it should.

The challenge we are facing, and can't seem to find a solution, is how we can target this policy to only Windows 11 machines we are replacing as we don't want to change the Windows 10 machines. Was hoping to use an AD group attribute, but don't see that as an option. Does anyone have any ideas?

Thanks in advance

Howdy,

We are currently running Windows 10 and using CPPM to perform 802.1X on our WIRED ports for both user and computer accounts. The access switch is a 6300M. Our Windows 10 clients are using EAP-PEAP, EAP-MSCHAPv2. 

In testing Windows 11 we have found that this no longer works and are forced to change to a more secure and modern method of EAP-TLS.

We have created a test service to only use EAP-TLS in CPPM and manually added the test Windows 11 machine to the policy and everything works as it should.

The challenge we are facing, and can't seem to find a solution, is how we can target this policy to only Windows 11 machines we are replacing as we don't want to change the Windows 10 machines. Was hoping to use an AD group attribute, but don't see that as an option. Does anyone have any ideas?

Thanks in advance

Howdy,

We are currently running Windows 10 and using CPPM to perform 802.1X on our WIRED ports for both user and computer accounts. The access switch is a 6300M. Our Windows 10 clients are using EAP-PEAP, EAP-MSCHAPv2. 

In testing Windows 11 we have found that this no longer works and are forced to change to a more secure and modern method of EAP-TLS.

We have created a test service to only use EAP-TLS in CPPM and manually added the test Windows 11 machine to the policy and everything works as it should.

The challenge we are facing, and can't seem to find a solution, is how we can target this policy to only Windows 11 machines we are replacing as we don't want to change the Windows 10 machines. Was hoping to use an AD group attribute, but don't see that as an option. Does anyone have any ideas?

Thanks in advance

I think in Windows 11 Credential Guard is on by default.

This will break EAP-PEAP, EAP-MSCHAv2 authentication as CG doesn't allow for the NTLM credentials to be shared.

You can temporarily disable Credential Guard if you wish to but yourself time to get prepared for EAP-TLS. This can be done via Group Policy.

We are in the early stages of testing Windows 11 and discovered. We disabled CG to allow us to continue testing and begin planning migrating to EAP-TLS.

Howdy,

We are currently running Windows 10 and using CPPM to perform 802.1X on our WIRED ports for both user and computer accounts. The access switch is a 6300M. Our Windows 10 clients are using EAP-PEAP, EAP-MSCHAPv2. 

In testing Windows 11 we have found that this no longer works and are forced to change to a more secure and modern method of EAP-TLS.

We have created a test service to only use EAP-TLS in CPPM and manually added the test Windows 11 machine to the policy and everything works as it should.

The challenge we are facing, and can't seem to find a solution, is how we can target this policy to only Windows 11 machines we are replacing as we don't want to change the Windows 10 machines. Was hoping to use an AD group attribute, but don't see that as an option. Does anyone have any ideas?

Thanks in advance

Howdy,

We are currently running Windows 10 and using CPPM to perform 802.1X on our WIRED ports for both user and computer accounts. The access switch is a 6300M. Our Windows 10 clients are using EAP-PEAP, EAP-MSCHAPv2. 

In testing Windows 11 we have found that this no longer works and are forced to change to a more secure and modern method of EAP-TLS.

We have created a test service to only use EAP-TLS in CPPM and manually added the test Windows 11 machine to the policy and everything works as it should.

The challenge we are facing, and can't seem to find a solution, is how we can target this policy to only Windows 11 machines we are replacing as we don't want to change the Windows 10 machines. Was hoping to use an AD group attribute, but don't see that as an option. Does anyone have any ideas?

Thanks in advance