I found out a solution to this while working with Aruba. You create a new TLS Auth Method (copy whatever you are using currently), and uncheck 'Authorization Required'. Then you use this new TLS method inside of your TEAP Auth Method. This disables the authorization lookup from happening within the Authentication phase and gets rid of this error. Just make sure you are then performing the necessary authorizations in the authorization phase (account is valid, enabled, etc.).
Original Message:
Sent: Nov 14, 2024 02:40 PM
From: MarkNap128
Subject: Using EAP-TEAP and EAP-TLS on the same service
If you remove the endpoint database and the local sql database and have say, AD as the only authentication source, you can save the service with both EAP-TLS and TEAP. Of course this does not help those who are not using AD -
Original Message:
Sent: Nov 07, 2024 04:19 PM
From: Mark Napoleoni
Subject: Using EAP-TEAP and EAP-TLS on the same service
Ran into this issue within my client's lab this afternoon. Same exact scenario as yours - if I figure this out I will report back with the solution.
Original Message:
Sent: Sep 26, 2024 12:02 AM
From: cm119
Subject: Using EAP-TEAP and EAP-TLS on the same service
Exact same issue here, did anyone figure this out? When both TEAP and TLS are enabled in the same service, and Endpoints Repository is an Authentication source, TEAP fails with the 'conflicting identities' error. Removing TLS from the service resolves the issue. In my case removing the Endpoints Repository also breaks my TEAP, I am doing only Certificate authentication (no AD), then AzureAD/EntraID for Authorization. Apparently for that to work Endpoints Repository has to be an Authentication method. The workaround is configuring TEAP on it's own service (looking for the 'anonymous' username), but I'm curious how to get both TLS and TEAP working at the same time with this config.
Original Message:
Sent: Sep 11, 2023 10:22 PM
From: hammertim
Subject: Using EAP-TEAP and EAP-TLS on the same service
Hi Herman,
I have similar methods but no EAP-PEAP:
1. EAP TLS (using OCSP)
2. EAP TEAP (both using EAP-TLS)
If I remove the EAP TLS and just use EAP TEAP, my test device (Windows 11) connects fine with both methods being successful (Computer + User).
When I have EAP TLS above EAP TEAP, I get the following error message for the same test device:
eap-teap: Method 1 failed for transaction
eap-teap: Method 1 failed for transaction
eap-teap: Conflicting identities 'anonymous' and 'host/<ComputerName>.domain' in the request
TLS session reuse error
Any thoughts?
Thanks.
Original Message:
Sent: 9/11/2023 11:28:00 AM
From: Herman Robers
Subject: RE: Using EAP-TEAP and EAP-TLS on the same service
Yes, should work. Here is the configuration the I have, it even has PEAP enabled in the same service/SSID in addition to TLS and TEAP.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 08, 2023 05:11 PM
From: hammertim
Subject: Using EAP-TEAP and EAP-TLS on the same service
I'll try to get some screenshots but are you saying this is theoretically possible? And should work?
Original Message:
Sent: 9/8/2023 10:16:00 AM
From: bd_87
Subject: RE: Using EAP-TEAP and EAP-TLS on the same service
Can you reply with some screenshots? It almost seams like maybe the client is trying EAP-PEAP instead of EAP-TLS?
Screenshots of the client SSID config and of the ClearPass service would be a big help.
------------------------------
ACNSP | ACCP | ACMP | ACEP
Original Message:
Sent: Sep 08, 2023 01:35 AM
From: hammertim
Subject: Using EAP-TEAP and EAP-TLS on the same service
Is there a way to have EAP-TEAP and EAP-TLS co-exist on the same service?
I have been testing EAP-TEAP on wireless and have it successfully working. Both methods are EAP-TLS. If I then enable EAP-TLS on the same service, clients that only use EAP-TLS do not connect and show the following alert "EAP: Client doesn't support configured EAP methods".
I have clients that don't support EAP-TEAP (i.e. iPads and MacBooks) and do not want to use a separate SSID. Furthermore, I'm also testing EAP-TEAP for wired authentication and would like the MacBooks to fall back to EAP-TLS.