Security

 View Only
  • 1.  EAP-TEAP issue GPO

    Posted Jul 11, 2024 05:35 AM

    Hey,

    I'm configuring EAP-TEAP in my lab-setup.
    I have an AD server and a test-laptop who is joined into the test-AD.
    My AD server is root-ca and distribute the client certificates as also signed the radius certificates on Clearpass.

    EAP-TLS authentication for WiFi is working as a charm.
    Since we are moving to EAP-TEAP, I want to configure this authentication method.

    So created new GPO with settings I found on Herman Robbers video.

    Pushed it and I'm sure it's well received by the client.

    Also rebooted the laptop.

    See setting in attachments for GPO.

    I receive a reject from clearpass because it don't support the eap-method.
    In the service the only authentication method is TEAP.

    When I try to configure it manually on the PC eap-teap, it works but takes longer time then EAP-TLS.

    I see a timeout for the outer method and then an accept for the inner method.

    The delay is caused by the timeout of the outher method.

    I used exactly the same config as in the GPO.

    The identity anonymous I don't want to disable it, also not possible in the GPO.

    So what I'm missing?

    Clearpass is running 6.12.2



  • 2.  RE: EAP-TEAP issue GPO

    Posted Jul 11, 2024 06:20 AM

    Hi

    TEAP require that both the computer and the user has a certificates. Have you confirmed that the computer also has a certificate?

    On your test client, also check if you have multiple computer certificates. If you have several, the computer may not be able to select the correct certificate.

    I can see two root CA certificates for Lab-Root-CA, are they identical or do you have two versions of the same CA but with two different certificates?

    Can you share the service configuration as well as the Access Tracker output when the clients got accepted?



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: EAP-TEAP issue GPO

    Posted Jul 11, 2024 09:50 AM

    Hi,

    Computer has a certificate. The user hasn't a certificate.

    But with local wifi policy I see that method 1 succeed and method 2 fails.
    But is completly normal.

    With the GPO I don't see anything execpt not correct authentication method.




  • 4.  RE: EAP-TEAP issue GPO

    Posted Jul 11, 2024 10:02 AM

    Hi

    EAP-TEAP performs both computer and user autentication at the same time, thus both identities must be able to authticate. If the user doesn't have a certificate this authenitcation will fail.

    The authentication for the computer is working but the user must have a certificate to be able to authenticate with the settings you have in the 802.1x TEAP profile:

    With the settings above you have specified that TEAP Method-1 (the computer) should authenticate with a certificate as well as in TEAP Method-2 (for the user).

    If the user doesn't have a certificate only the computer authentication will take place, exactly as in your screenshot:

    Issue a certificate to the user and hopefully it will work as intended.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: EAP-TEAP issue GPO

    Posted Jul 11, 2024 10:07 AM

    Ok I will try that.

    But I will not have an user certificate when I must login into the windows computer.
    Because there isn't a user logged in.

    I'm a correct?




  • 6.  RE: EAP-TEAP issue GPO

    Posted Jul 11, 2024 10:19 AM

    Yes, you are correct. 

    In your role mapping and enforcement policies you have to handle the different cases:

    1. Method 1 Successful, Method 2 Failed
    2. Method 1 Successful, Method 2 Successful
    3. Method 1 Failed, Method 2 Successful

    If you are working with roles you can assign a role with limited access in the first case where just the machine authentication is successful to allow the user to get the certificate.

    In the second case where both methods are successful, you assign the correct role the user should have. I case you have multiple roles depending on group membership for the users, you return different roles depending on the groups.

    In most cases the third option would be a case where the computer certificate has expired. Maybe a computer that haven't been in use for a while. This computer must be able to enroll for a new certificate, thus a limited role for certificate enrollment and other system updates may be the best option.

    Exactly what you implement in the different scenarios is up to you.

    Compared to the older way with just EAP-TLS and both user and computer autentication it's easier to implement the enrollment of the user certificate. With just EAP-TLS the user authentication would fail, and the user be denied access. Unless you allow a MAC authentication for enrollment of certificates.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: EAP-TEAP issue GPO

    Posted Jul 12, 2024 03:44 AM

    Hi Jonas,

    Issue was that GPO I created in the editor of windows server 2022, which stated clearly EAP-TEAP didn't accepted by the machine.
    He performed still eap-tls which was the reason of the error of unknown EAP method.
    After I exported the xml file of the local configifured SSID on the pc to the backup of the GPO.
    It magically worked as expected, even without user certificate.

    He would fail on the method 2, but again I saw that the authentication came perfectly in and not eap-method failed.
    So, conclusion: windows GPO tricked me, which still pushed EAP-TLS.