Security

I am testing setting up an NPS server to support PEAP and EAP-TLS. I can get each to work individually, but I am wondering if it is possible to have both EAP types enabled on the same NPS server at once. My test controller is a 3200 on AOS 6.1.3.5. I am terminating EAP at the RADIUS server.

What seems to happen is that the EAP type that is first in my "Network Policies" is the one that works. The other EAP type that is lower in the list will not work. Based on a Wireshark from the NPS server, the Access-Request from both EAP-PEAP and EAP-TLS clients are replied to using the EAP type of the first Network Policy.

I tried adding the "Allowed EAP Types" condition to the Network Policy, but that didn't work.

Has anyone had success with supporting 2 different EAP types on NPS?

Well, it seems that simply talking (or rather typing) things out has fixed my problem. :smileyvery-happy:

I changed my "Connection Request Policies" section. I thought that I needed 2 policies in here. One for EAP-PEAP and one for EAP-TLS. What I tried instead was conbining the two. The Connection Request Policy that works has both EAP types listed under "Authentication Methods" section.

I do still have 2 policies in the "Network Policies" section. One is for EAP-TLS devices and one is for EAP-PEAP. The EAP-TLS policy specifies EAP-TLS as an Allowed EAP Type. The EAP-PEAP policy specifies EAP-PEAP as an Allowed EAP Type.

I have included screenshots to help elminate confusion.

I hope that this helps others that might get stuck on this.

I would say the proper way to handle this is to not specify/override the authentication methods in the Connection Request Policy, but instead to just use the Network Policies to define what authentication methods you wish to support.

I agree. 

When we used NPS servers, I talked with Microsoft support. They suggested having the Connection Policy very general and doing all segmentation with Network Policies.

That worked very well for us until we were able to move to Aruba ClearPass Policy Manager for our RADIUS server.

Thanks for the responses.

I attempted to keep the Connection Policy generic and not specify any authentication methods there. I initially only specified EAP types in the Network Polices. This configuration did not work.

The only configuration that worked for me was specifying both EAP-TLS and PEAP-MSCHAPv2 in the Connection Policy.

---

@mgreen wrote:

Thanks for the responses.

 

I attempted to keep the Connection Policy generic and not specify any authentication methods there. I initially only specified EAP types in the Network Polices. This configuration did not work.

 

The only configuration that worked for me was specifying both EAP-TLS and PEAP-MSCHAPv2 in the Connection Policy.

---

You are doing it right.  That is the only way it works on NPS server.

---

@cjoseph wrote:
You are doing it right.  That is the only way it works on NPS server.

Maybe you're referring to this tidbit from Microsoft? -

Quote - "When you deploy both PEAP and EAP unprotected by PEAP, do not use the same EAP  authentication type with and without PEAP. For example, if you deploy PEAP-TLS,  do not also deploy EAP-TLS without PEAP. Deploying authentication methods with  the same type creates a security vulnerability."

In any case, I can confirm that having a single generic Connection Policy, with a single Network Policy that has multiple authentication methods (like PEAP-MSCHAP v2 and PEAP-TLS or EAP-TLS) does indeed work.