Friday, August 25, 2017

Windows PE and Cisco ISE authentication 802.1x

Windows PE  and Cisco ISE authentication

This blog entry is intended to assist you when implementing a Cisco ISE next generation network across the organisation.  Without ISE profiles the SCCM Task Sequence will fail to connect to Distribution Points and the MDT database.  UNC paths are blocked and network access is restricted.
Cisco ISE by design will restrict network access to prevent unauthorized clients from simply plugging their equipment into the network and being routed like a authorised client.
Computer and User Authentication (explain in detailed section)
Cisco ISE profiles should be implemented in two ways; Cisco ISE profiles via Group Policy for domain joined systems, and to bake ISE profiles into the SCCM Boot Image.  The guide below will explain how to implement both configuration setups.


Tutorial - WinPE

Microsoft has detailed the two XML files required to achieve User Authentication when in WinPE here

Create an XML called "EthernetLANProfile.xml" containing the following. The Thumb Print detailed within <TrustedRootCA> should reflect a trusted Third Party Cert; This ISE certification should also be deployed to all Domain Joined systems for GPO ISE Profiles (see below Tutorial - OS)

<?xml version="1.0"?>
<!-- Sample LAN profile: EthernetLANProfile.xml" -->
<LANProfile xmlns="http://www.microsoft.com/networking/LAN/profile/v1">
  <MSM>
    <security>
      <OneXEnforced>false</OneXEnforced>
      <OneXEnabled>true</OneXEnabled>
      <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
        <cacheUserData>true</cacheUserData>
        <authMode>user</authMode>
        <EAPConfig><EapHostConfig
          xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type
          xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId
          xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType
          xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId
          xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config
          xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap
          xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
        <Type>25</Type><EapType
          xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1">
        <ServerValidation>
          <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
          <ServerNames></ServerNames>
          <TrustedRootCA>1a 2b 3c 4d 56 78 90 aa bb cc dd ee ff 1a 2b 3c 4d 5e 6f</TrustedRootCA>
          </ServerValidation><FastReconnect>true</FastReconnect>
          <InnerEapOptional>false</InnerEapOptional><Eap
            xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
          <Type>26</Type><EapType
            xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1">
          <UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap>
          <EnableQuarantineChecks>false</EnableQuarantineChecks>
          <RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions>
          <PerformServerValidation
            xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false
          </PerformServerValidation><AcceptServerName
            xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false
            </AcceptServerName><PeapExtensionsV2
            xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">
          <AllowPromptingWhenServerCANotFound
            xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV3">true
          </AllowPromptingWhenServerCANotFound></PeapExtensionsV2></PeapExtensions></EapType>
        </Eap></Config></EapHostConfig></EAPConfig>
      </OneX>
    </security>
  </MSM>
</LANProfile>



Create another XML file called "EAP_UserData.xml" containing the Service Account User Credentials.

<?xml version="1.0"?> <!-- Sample EAP user data: EAP_UserData.xml" --> <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials"> <EapMethod> <eapCommon:Type>25</eapCommon:Type> <eapCommon:AuthorId>0</eapCommon:AuthorId> </EapMethod> <Credentials xmlns:eapUser="http://www.microsoft.com/provisioning/EapUserPropertiesV1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1" xmlns:MsPeap="http://www.microsoft.com/provisioning/MsPeapUserPropertiesV1" xmlns:MsChapV2="http://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1"> <baseEap:Eap> <baseEap:Type>25</baseEap:Type> <MsPeap:EapType> <MsPeap:RoutingIdentity>onex\administrator</MsPeap:RoutingIdentity> <baseEap:Eap> <baseEap:Type>26</baseEap:Type> <MsChapV2:EapType> <MsChapV2:Username>SVC-Account-Name</MsChapV2:Username> <MsChapV2:Password>SVC-Account-password</MsChapV2:Password>
<MsChapV2:LogonDomain>SVC-Account-Domain</MsChapV2:LogonDomain>
</MsChapV2:EapType> </baseEap:Eap> </MsPeap:EapType> </baseEap:Eap> </Credentials> </EapHostUserCredentials>


The SCCM Boot image will need to contain the WinPE-Dot3Svc Optional Component.  However, from my experience this component doesnt work in Windows 10 version 1607 or 1703.
The component wizard completes without errors however, the Dot3Svc cannot start in WinPE. Micrsoft have detailed the issue here

The component will need to be manually installed; download the KB4025632 MSU file from Windows Update Catalog- ## https://www.catalog.update.microsoft.com/Search.aspx?q=KB4025632

The following two command will mount the Boot.wim Image and inject the Dot3Svc component.

Dism /Mount-Image /ImageFile:"C:\temp\WinPEx64\sources\boot.wim" /index:1 /MountDir:"C:\temp\WinPE_amd64-mount"

Dism /Add-Package /Image:"C:\temp\WinPE_amd64-mount" /PackagePath:"C:\temp\WinPEx64\windows10.0-kb4025632-x64_af86717e4eec306948b23cd1e82ff95640e51f5e.msu"

Before the Boot image is dismounted and copied to SCCM we also need to bake the ISE XML profiles into the Boot image.

Copy the EthernetLANProfile.xml & EAP_UserData.xml created earlier into the folder  "windows\system32"

C:\temp\WinPE_amd64-mount\windows\system32\

Dism /Unmount-Image /MountDir:"C:\temp\WinPE_amd64-mount" /commit

After installing the component copy the wim to your Boot image source location.
Add a custom prestart command.  Open the Properties of the Boot image and go to the customization tab, enable the prestart command and type the following three commands (enable Dot3svc, import Ethernet Profile , import User Auth Profile"

cmd /c powershell -noninteractive -command net start dot3svc & cmd /c netsh lan add profile filename=%SYSTEMDRIVE%\windows\system32\EthernetLANProfile.xml interface=*  & cmd /c netsh lan set eapuserdata filename="%SYSTEMDRIVE%\windows\system32\EAP_UserData.xml" alluser=yes Interface=*


 Within the SCCM console update the distribution point to inject the SCCM binaries and distribute the WIM to your PXE enabled distribution Points.

Once the Boot image is loaded and you have typed your WinPE password (if present) the Prestart command will launch (Custom Hook).  WinPE will run the commands in the TSConfig.ini file located on the root of the X drive.

Before the list of Task Sequences (if available) are presented you will see a command window appear starting the dot3svc service and configure the User Authentication ISE profiles created earlier.

If you wanted to check that ISE is running before kicking off the Task Sequence then you can:-

Hit F8 for a command prompt (if enabled in the boot image)
Type:
 PowerShell -command Get-Service dot3svc 

You should see the service status as running

Running       dot3svc            Wired AutoConfig





15 comments:

  1. Woah, the coding you have added in your blog is way too complicated and requires professional help to understand. That is the reason my friend also takes from experts whenever he writes any code. I think I should also take custom philosophy essay services for my philosophy courses. So that I can get the desired scores in my ongoing courses.

    ReplyDelete
  2. The policy itself indirectly has an impact on Sbobet betting sites which are always blocked. So there is one way to use the Sbobet Alternative Link that has not been touched until now. Here are some alternative Sbobet linkswhich can be used at any time and can help you become the first choice to enter the original Sbobet soccer gambling game site. alternatif sbobet

    ReplyDelete
  3. Jili slot, entrance to the web slot, direct website Direct from the parent website, bet on Gili slots here before anyone else, easy to play, just sign up and win many special bonuses. If interested, click!!! jili slot เล่นผ่านเว็บ

    ReplyDelete
  4. Jatin Shan (Actor) Age, Height, Weight, Wife, Affairs, Biography, Family, Facts, Net Worth & More. Jatin Shan WIKI/Biography Jatin Shah is an Indian television ... swara bhaskar husband

    ReplyDelete
  5. Kanak's Kitchen Hindi is a YouTube based food channel which showcases best recipes hosted by Kanak Khathuria along with Transcend Films Private Limited. There ... सूजी के अप्पे बनाने की विधि

    ReplyDelete
  6. Nice post mate, keep up the great work, just shared this with my friendz gage green group seeds

    ReplyDelete
  7. Video Downloader Script offers you to download videos in multiple formats including MP4, M4A, 3GP from multiple sources which includes fbdown

    ReplyDelete
  8. Your work is truly appreciated round the clock and the globe. It is incredibly a comprehensive and helpful blog. betflik28

    ReplyDelete
  9. Impressive web site, Distinguished feedback that I can tackle. Im moving forward and may apply to my current job as a pet sitter, which is very enjoyable, but I need to additional expand. Regards. บาคาร่า เว็บตรง

    ReplyDelete
  10. I got too much interesting stuff on your blog. I guess I am not the only one having all the enjoyment here! Keep up the good work. betflik เครดิตฟรี

    ReplyDelete
  11. This is very interesting content! I have thoroughly enjoyed reading your points and have come to the conclusion that you are right about many of them. You are great. ดาวน์โหลดslotxo

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete
  13. You delivered such an impressive piece to read, giving every subject enlightenment for us to gain information. Thanks for sharing such information with us due to which my several concepts have been cleared. วิธีการเล่นเสือมังกร

    ReplyDelete
  14. Excellent post. I was always checking this blog, and I’m impressed! Extremely useful info specially the last part, I care for such information a lot. I was exploring this particular info for a long time. Thanks to this blog my exploration has ended. Nft projects

    ReplyDelete
  15. The Ignorant Angels Capitulo 9 Online Sub Español dalimotion video,The Ignorant Angels doramasflix

    ReplyDelete