Security

 View Only
Expand all | Collapse all

EAP-TEAP

This thread has been viewed 59 times
  • 1.  EAP-TEAP

    Posted Apr 03, 2024 10:58 AM
    Edited by OumarCisse Apr 03, 2024 10:58 AM

    Hello Guys,

    I want to have two SSID in my network and I am implementing EAP-TEAP which was successful so far. But currently using EAP-PEAP. 

    My plan is to rolled out users slowly until we have one SSID with EAP-TEAP and EAP-PEAP. Users will first hit TEAP first then if fails, hit the EAP_PEAP rule.

    When I added the authentication outherMethod in my service, I get rejected. It does not even the rule anymore. Is there something I am doing wrong with the outerMethod.

    I have also attached my logs in this thread.

    Thank You in advance.



  • 2.  RE: EAP-TEAP

    Posted Apr 03, 2024 11:55 AM
      |   view attached

    I have attached the logs


    Attachment(s)

    pdf
    Request logs.pdf   64 KB 1 version


  • 3.  RE: EAP-TEAP

    Posted Apr 03, 2024 12:09 PM

    Pretty sure that Authentication:OuterMethod isn't available during service categorization, you'll need to handle all EAP methods in the same service.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 4.  RE: EAP-TEAP

    Posted Apr 03, 2024 12:27 PM

    @chulcher oh okay no problem thank you. Do you have to know where I can find the documentation on it as I want to know more.

    Thank You




  • 5.  RE: EAP-TEAP

    Posted Apr 03, 2024 12:34 PM

    https://arubanetworks.com/clearpassdocs

    TEAP Tech Note



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 6.  RE: EAP-TEAP

    Posted Apr 04, 2024 03:14 AM

    As TEAP has a mandatory Anonymous identity these days in Windows 10/11, you can also filter on the anonymous user-name in your service (IETF:User-Name EQUALS anonymous), change anonymous to another name if you changed the anonymous identity.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: EAP-TEAP

    Posted Apr 04, 2024 08:43 AM

    If I filter with anonymous, would I still be able to hit the rule and get the user auth and the computer auth.




  • 8.  RE: EAP-TEAP

    Posted Apr 04, 2024 09:16 AM

    Yes, you can as it's only used to get the request in the correct service, where you can do TEAP (or whatever other authentication method). This is how it looks in my lab ClearPass server:

    This service will either be selected with the anonymous identity set to anonymous or to teap. After that, I have computer and user authentication via TEAP. Then if you put your older (PEAP) service below this service, the PEAP request will 'faillthrough' and be handled through that service.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 9.  RE: EAP-TEAP

    Posted Apr 04, 2024 09:23 AM

    Note, enabling identity privacy (using an anonymous username) when using PEAP is also a good idea as one of the first steps for making PEAP as secure as can be.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 10.  RE: EAP-TEAP

    Posted Apr 05, 2024 08:09 AM

    Even better is moving to EAP-TLS with anonymous identity ;) That is what we are doing. CPPM needs dome coaxing though, because it uses the outer identity by default for authentication, etc.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 11.  RE: EAP-TEAP

    Posted Apr 05, 2024 10:20 AM

    Thank You Guys for all your input. 

    @Herman Robers can you share me the documentation on how you implemented your EAP-TEAP with WPA3?




  • 12.  RE: EAP-TEAP

    Posted Apr 05, 2024 10:25 AM

    Probably this video from his Youtube channel.

    https://www.youtube.com/watch?v=nTHQsBgRjb4



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------