Security

Hello all,

I have TEAP authentication setup with ClearPass, and when they start their day, some users (not all, and not all the time to make troubleshooting harder) seem to be impacted by an issue where TEAP method 2 fails (it looks like the cert is not seen). The interesting thing is that if the user disconnects/reconnect, all is well, both certs are seen OK and TEP auth is performed without issues. This affects both my wired and wireless services, and all supplicants are Win11 machines. It only seems to happen when a user first logs in to the network, after that they have no issues during their workday.

As a temporary solution, I have created a profile that forces re-auth if the "wrong" TEAP roles are picked up, which seems to work (the whole process takes about 30 seconds). But I am hoping that there is a solution to cure the root cause as users still notice it.

I have had a few cases with TAC, and solutions range from "this is a bug" to "disable anonymous identity", and I am now hoping that someone here can provide assistance from here. 

Do you know if the user has been enrolled with a user certificate before that 'first login'?

The 'normal' process is that a computer when installed is joined to AD (GPO) or EntraID (Intune), and receives a machine certificate. And is configured to request a user certificate when a user logs in to that computer for the first time.

When a user logs in to a computer, if that computer was not logged in by that user before, the TEAP Method-2 (User) is expected to fail as there is no user certificate. Once logged in, the GPO/Intune policy will request a user certificate, and in a second attempt the user certificate is present and full TEAP authentication should pass.

Bottom-line, a computer needs to be connected first and signed into by a user before the user certificate is enrolled (which requires network connectivity). With devices that are used by a single (or few) user, that normally is not a big issue. For computers that rotate between many users, this will play up every time a user signs in the first time on that specific computer, or after a long time when the certificate has expired. For those computers that are shared a lot, computer only authentication may be a better solution.

Hello all,

I have TEAP authentication setup with ClearPass, and when they start their day, some users (not all, and not all the time to make troubleshooting harder) seem to be impacted by an issue where TEAP method 2 fails (it looks like the cert is not seen). The interesting thing is that if the user disconnects/reconnect, all is well, both certs are seen OK and TEP auth is performed without issues. This affects both my wired and wireless services, and all supplicants are Win11 machines. It only seems to happen when a user first logs in to the network, after that they have no issues during their workday.

As a temporary solution, I have created a profile that forces re-auth if the "wrong" TEAP roles are picked up, which seems to work (the whole process takes about 30 seconds). But I am hoping that there is a solution to cure the root cause as users still notice it.

I have had a few cases with TAC, and solutions range from "this is a bug" to "disable anonymous identity", and I am now hoping that someone here can provide assistance from here.