EAP-TEAP is the outer authentication method and the inner method can be EAP-TLS or other methods like EAP-PEAP.
In EAP-TEAP there are two authentications taking place at the same time. They are called Method 1 and Method 2.
Method 1 is the computer authentication, Method 2 is the user authentication. They both take place at the same time as @chulcher mentions.
So this gives several different authentication scenarios to evaluate.
- Method 1 Successful, Method 2 Unsuccessful. In this case the computer has performed a successful authentication, but the user failed. Maybe the user isn't logged in on the computer or is missing a valid certificate. Apply a role allowing access for remote management of the computer, updates, certificate provisioning etc.
- Method 1 Successful, Method 2 Succefull. This is the normal situation when both computer and user have valid certificates. Provide a role based on user and computer needs.
- Method 1 Unsuccessful, Method 2 Succefull. This is normally a situation that shouldn't occur. But a possible case can be a computer that have been offline for a long time and thus the ertificate hasn't been renewed, but the user certificate is still valid. Handle according to company routines
- Method 1 Unsuccessful, Method 2 Unsuccessful. Both methods fails and reject is returned to the NAD.
The scenarios are handled in the role mapping and enforcement policies. In the role mapping you can configure conditions like this to assign roles based of the result of the different authentication results.
On AD side autoenrollment of both computer and user certiicates should be configured and GPO for 802.1x authentication for both wired and wireless. In the 802.1x configuration configure the RADIUS certificate trust and the two authentication methods.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Oct 10, 2024 02:53 PM
From: Ronin101
Subject: EAP-TLS vs TEAP (user and mac authentication)
Dear Carson,
Sorry for noob question, so we can use EAP-TLS with TEAP right? this is the recommended approach also?
Also at high level, since customer is asking for both machine and user auth with EAP-TLS with on prem AD, what is the best way to do it?
Original Message:
Sent: Oct 10, 2024 01:42 PM
From: chulcher
Subject: EAP-TLS vs TEAP (user and mac authentication)
The concept of machine authentication on Windows allows the device to be connected to the network while no one is logged in. If you don't have that setup then the network connection can be dropped when a user isn't logged in.
TEAP allows for EAP chaining, providing proof that the user is logging on not only with correct credentials but also using an authenticated machine to do so. Also provides a mechanism to allow a device to still access the network even when the current user doesn't have credentials (TLS certificate) available on the device.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Oct 10, 2024 11:22 AM
From: Ronin101
Subject: EAP-TLS vs TEAP (user and mac authentication)
Dear Experts,
Customer is planning to authenticate users on laptop/pc through EAP-TLS, the certificates will be installed when device is joining domain through GPO. Now customer also requires to do machine authentication. I am bit confused that if they are issuing certificates based on domain membership do they still need to do machine authentication seperately?