The trouble with PEAP and Credential Guard

3 min read

Why you should switch from PEAP to Certificated based authentication…

Windows 10 Credential Guard and Cisco ISE conflicts using PEAP.

Credential Guard isolates your credentials to mitigate agains MitM attacks

If you have enabled credential guard in windows 10 and have a network security mechanism like Cisco ISE or just plain Enterprise WPA2 – then you will run into some issues if you have set your authentication method to PEAP (EAP-MSCHAPv2).

It turns out that Credential Guard will prevent the authentication supplicant from sending the users credentials to the Cisco ISE RADIUS service (or ANY RADIUS server for that matter).

And you will notice a lot of entries in the Cisco ISE live authentications view, similar to this:

5440 Endpoint abandoned EAP session and started new

Unfortunately a fix from either Cisco or Microsoft does not seem available at the time of writing this, so switching over to a certificate or smart card based authentication is the only option short of disabling Credential Guard.

I recommend using certificate based authentication with User certificates, which can be distributed either through Group Policy or via Microsoft Intune.

And it might never get fixed, since Credential Guard was developed to secure against tools like Mimikatz, that basically does the same thing as PEAP authentication – namely passing the users hashed credentials.

Let’s hope an alternative comes along in the future. As the PEAP option does provide some flexibility over using certificates, albeit being slower to authenticate.
Though I doubt it as this is the price of added security. And PEAP is not as safe as some might think.


For those of you that are trying to find this info via google…

Below is a sample of the steps that occur in Cisco ISE when the client tries to connect and fails:

Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12810 Prepared TLS ServerDone message
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge (Step latency=” 1001 ms)
5440 Endpoint abandoned EAP session and started new

Note that this is not a bug!
It will affect any authentication using PEAP as this is the design of Credential Guard.

Read more about this new security mechanism here:
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard

Michael Mardahl

Michael works as a Cloud Architect with APENTO in Denmark. Specializing in customer journeys from classic Infrastructure to Cloud consumption. He has been in the IT industry for more than 20 years, and has experience from a broad range of IT projects. When not at work, Michael enjoys the value of spending time with family and friends, and BLOG's passionately about Enterprise Mobility whenever he has time to spare.

Recent Posts

Passwordless journey with FIDO2 – Part 3 – Engine troubles

After a few months away from bloggin because family and holiday and one self is important to tend to, I…

5 years ago

Conditional Access and the woes of being an external user

Conditional Access and multi tenancy can be tough on anyone... (more…)

5 years ago

Passwordless journey with FIDO2 – Part 2 – Usage experiences

Continuing my ongoing series on passwordless with Azure AD and FIDO2... The story continues on SCConfigMgr.com... :) https://www.scconfigmgr.com/2019/11/18/passwordless-journey-with-fido2-part-2-usage-experiences/

5 years ago

Passwordless journey with FIDO2 – Part 1 – Getting started with security keys

Passwordless with FIDO2 is becoming a real option for enterprises that are adopting the cloud. In this guest blog post…

5 years ago

Unattended access to Exchange Online using a privileged account with MFA enforced

I published a PowerShell Gallery script, that will get you through this headache in a jiffy. (more…)

5 years ago

2 Cool new password policy features in Azure AD Connect

Enabling preview features in Azure AD to extend your on-prem password policy to Azure AD. (more…)

5 years ago

This website uses cookies to track views anonymously with analytics.