Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

[Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

This thread has been viewed 249 times

  • 1.  [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted Apr 29, 2020 10:30 AM
      |   view attached

    Attached is a PDF on how to configure Clearpass authentication using EAP-TEAP, also known as EAP-Chaining.

     

    Environment:

    Device: Windows 10 Insider Preview 2004 build 19613.

    CPPM: 6.9.0

     

    EAP-TEAP (RFC: 7170) Abstract:

       This document defines the Tunnel Extensible Authentication Protocol
   (TEAP) version 1.  TEAP is a tunnel-based EAP method that enables
   secure communication between a peer and a server by using the
   Transport Layer Security (TLS) protocol to establish a mutually
   authenticated tunnel.  Within the tunnel, TLV objects are used to
   convey authentication-related data between the EAP peer and the EAP
   server.

     

     

    EAP-TEAPv1 allows for the User and Machine to authenticate during the same session. This will make User + Machine authentication much more graceful.

     

    Instead of relying on the Machine authentication cache in CPPM, you will get the authentication status on the first authentication attempt of both the User and Machine.

    NOTE: My original post disappeared for some reason without notice, so I'm posting again. If I have violated a forum rule somehow please let me know.

    Attachment(s)

    pdf
    ClearPass_EAP-TEAP.pdf   388 KB 1 version


  • 2.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted May 11, 2020 11:39 PM

    Very interesting, thanks for sharing!

    I can see it being extremely useful in 802.1X (using EAP-TLS) , transitioning from wired to WLAN.



  • 3.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted May 11, 2020 11:53 PM

    No problem. EAP-TEAP is a game changer. 

     

    I should also note that I worded my notes poorly around identity privacy. You shouldn't ever "untick" the box. It is an important security precaution so the username is not sent in plaintext. 

     

    I will update the doc when I'm near my computer. 



  • 4.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted May 13, 2020 10:18 AM

    So what is the behaviour with TEAP if the client pc is not logged in? Then its only a computer authentication?

     

    When it logs in, you get a computer and user authentication?



  • 5.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted May 13, 2020 10:20 AM

    Yes. The User method will be blank. In that regard you will handle it the same as previous EAP methods.



  • 6.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted May 01, 2021 07:12 AM
    While this does work, it will not allow me to get any info from LDAP.
    The %{Authentication:username} inside LDAP querires doesn't seem to work with TEAP.

    ------------------------------
    Ricardo Duarte
    ------------------------------

    Original Message


  • 7.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted May 02, 2021 06:17 AM
    Ok, I was able to overcome this issue.

    One thing I'm missing with TEAP:
    - Is it possible to make a query to get the groups the machine is member of?

    The TEAP-Method-1-Username is "host/MACHINE.fqdn", and I can't match that with any attribute inside AD. Any way to get it to show as MACHINE$ ?

    Thanks.

    ------------------------------
    Ricardo Duarte
    ------------------------------

    Original Message


  • 8.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted Nov 24, 2021 03:37 AM
    hi all,

    i face the same problem that TEAP cannot authorized AD machine group

    ------------------------------
    Ivan Yeung
    ------------------------------

    Original Message


  • 9.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted Dec 07, 2022 09:51 AM

    Hi Ricardoduarte,

    Did you find a solution to your problem ? I'm currently facing the same...

    Thank you for your help ;)


    Original Message


  • 10.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    EMPLOYEE
    Posted Dec 08, 2022 09:38 AM

    I tried to set this up in my lab and have a working solution. If you duplicate your AD Authentication Source, name it TEAP Computer or so, you can adapt the Filter Query to: (&(sAMAccountName=%{Authentication:TEAP-Method-1-Username})(objectClass=computer)) and then apply that Auth Source as additional Authorization in your service.

    Screenshots:
    Authentication Source Filter tab (removed some other queries):
    Filter for line 1:
    Authorization tab in the service:

    For the Groups retrieval to work, I added a role mapping:
    If you leave this out, you will get the memberOf requested, but Groups is empty.

    Then in Access Tracker under Authorization you can see the TEAP Groups, memberOf and UserDN (which in fact is a computer DN ;-):

    Now creating a policy based on that should be obvious.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 11.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted Feb 09, 2023 02:58 AM

    Hello,

    I have the same problem, anyone solved it and know what the query should look like? Regards


    Original Message


  • 12.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    EMPLOYEE
    Posted Feb 14, 2023 06:14 AM

    Check here. Or open a new post explaining what your problem is. This is a long thread and multiple topics, which makes it unclear what the problem is that you are facing.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 13.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    EMPLOYEE
    Posted Feb 14, 2023 11:49 AM

    We have a fix for this in 6.10.8 / 6.9.13. ClearPass will add a $ after stripping the machine name. You still have to modify the auth source filters to use TEAP-Method-1-Username for lookups as described by Herman below.


    Original Message


  • 14.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted Jul 21, 2022 07:15 PM
    Hi 
    how can i know

    Which supplicant(s) is capable of eap chaining ?

    Should i install driver on windows ?



    ------------------------------
    J Santamaria
    ------------------------------

    Original Message


  • 15.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    EMPLOYEE
    Posted Jul 22, 2022 05:44 AM
    TEAP is available in Windows 10 version 2004 and newer as basic part of the operating system. No need to install anything.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 16.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted Oct 02, 2023 03:15 AM

    Hi Herman,

    I've been watching all your videos posted on Youtube for Clearpass configuration and they give a tremendous help. Thank you very much. Now I want to build a solution for the client that would use EAP-TEAP. Based on your video on Youtube you advise to uncheck "enable identity privacy" for TEAP settings. I did it and then adjusted all policies in Clearpass to include TEAP method and use Method 2. Alas, all end point authentications attempt are rejected and I clearly see "anonymous" is being sent by Windows 10. Then I adjusted the service profile in Clearpass as it was advised in this forum thread, namely RADIUS:IETF username equals %{Authentication:TEAP-Method-2-Username}. Still the same rejection. Any suggestions or insights? I'm desperate. Is something wrong with Windows 10? It is the newer build that apparently has EAP-TEAP available. 


    Original Message


  • 17.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    EMPLOYEE
    Posted Oct 05, 2023 09:38 AM

    I'm not fully sure what I advised in that video, but know that things have changed and also I think you can't really turn of the anonymous identity in Windows 10 anymore in recent version. Regardless, for me it works with anonymous authentication and you can even select which username is used (the Method-1 or Method-2) by returning either one as IETF:Username, so if Method-2 fails, you return IETF:Username = %{Authentication:TEAP-Method-1-Username}; otherwise the Method-2-Username.

    But if authentication fails already, please check what is the reason of failing. Does your service match? Do you see any more specific information in the Alerts tab?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 18.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted Oct 05, 2023 11:24 AM

    Good day, Herman!

    Many thanks for the reply and willingness to help.

    Yeah, I developed an idea that it is all Windows "fault" to send "anonymous" username in the authentication request ��

    Here's what you showed in you video to unselect and this is exactly what I did

     

     

    Access tracker in Clearpass gives me an explicit reason of rejecting

    A screenshot of a computer Description automatically generated

    A screenshot of a computer Description automatically generated

     

    So, if your anonymous authentication works how would I construct the service if an endpoint sends "anonymous" regardless of the setting in the supplicant? ��

    Maybe I need to populate that field with something known to Clearpass that would be the condition to continue with the authentication request ?

     

    Eugene Pefti

    Senior Consultant, Network Security
    Compugen Inc.

     

       signature_2160918730   

    M: 1.778.316.1800

       signature_1301513745   

    epefti@compugen.com

       signature_2409045398   

    www.compugen.com

       signature_2862148059   

    100 Via Renzo Dr., Richmond Hill,

    ON L4S 0B8, Canada

     

     




    Original Message


  • 19.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted Oct 06, 2023 07:57 AM

    To Add to the issues.. it looks like you cannot disable identity privacy in windows 11 any longer. I am running into this with a client of mine and we have no way around it i can figure out.

    Anthony


    Original Message


  • 20.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted Oct 07, 2023 03:46 PM

    Not sure if it really matters but curious you don't even see the option to have it unchecked ? Staying away from Windows 11 but sooner or later it will dominate at least in the customer organizations and actually I already learned it the hard way that Windows supplicant sends out "anonymous" username regardless of whether you enabled it or not.


    Original Message


  • 21.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    EMPLOYEE
    Posted Oct 06, 2023 08:03 AM

    Ok, this may indeed be confusing... for the service selection (service rules) you would need to use the anonymous identity, where you have the option to change it on the client and make a better decision for multiple types of clients (different group policies/Intune policies).

    This is what I did in my service for TEAP to separate the TEAP out from TLS/PEAP:

    This checks for either teap or anonmymous. If you have Intune managed client and domain managed clients you could use a different anonymous identity to map to the right service if these devices connect to the same network (SSID/Wired).

    Hope this helps you further... Once the TEAP authentication is starting, it should populate the Method-1 and Method-2 attributes with status/username.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 22.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted Oct 07, 2023 03:38 PM

    Thank you, Herman,

    Since I'm doing the pilot for the hospital wired dot1x it is slightly different, i.e. no SSID in the service rule but I have adjusted it to look similar

     

    I already chatted with one of your colleagues, i.e. Brandon Murrey, and we walked through it together and even collected captures on the endpoint for EAPOL traffic. He is investigating it and it looks like it has something to do with Hello messages during the SSL/TLS negotiation between the client and Clearpass. The session just times out now and I can't see that it gets to the identity verification step

     

    I'm trying to understand which one of the attributes used as shown above in the service takes care about the anonymous username. We confirmed that Windows supplicant sends it no matter how it is configured on the supplicant, whether it is checked or not

     

     

     




    Original Message