Security

 View Only
Expand all | Collapse all

Using EAP-TEAP and EAP-TLS on the same service

This thread has been viewed 56 times
  • 1.  Using EAP-TEAP and EAP-TLS on the same service

    Posted Sep 08, 2023 01:36 AM

    Is there a way to have EAP-TEAP and EAP-TLS co-exist on the same service?

    I have been testing EAP-TEAP on wireless and have it successfully working. Both methods are EAP-TLS. If I then enable EAP-TLS on the same service, clients that only use EAP-TLS do not connect and show the following alert "EAP: Client doesn't support configured EAP methods". 

    I have clients that don't support EAP-TEAP (i.e. iPads and MacBooks) and do not want to use a separate SSID. Furthermore, I'm also testing EAP-TEAP for wired authentication and would like the MacBooks to fall back to EAP-TLS. 



  • 2.  RE: Using EAP-TEAP and EAP-TLS on the same service

    Posted Sep 08, 2023 10:16 AM

    Can you reply with some screenshots? It almost seams like maybe the client is trying EAP-PEAP instead of EAP-TLS? 

    Screenshots of the client SSID config and of the ClearPass service would be a big help.



    ------------------------------
    ACNSP | ACCP | ACMP | ACEP
    ------------------------------



  • 3.  RE: Using EAP-TEAP and EAP-TLS on the same service

    Posted Sep 08, 2023 05:12 PM
    I'll try to get some screenshots but are you saying this is theoretically possible? And should work?





  • 4.  RE: Using EAP-TEAP and EAP-TLS on the same service

    Posted Sep 11, 2023 11:28 AM

    Yes, should work. Here is the configuration the I have, it even has PEAP enabled in the same service/SSID in addition to TLS and TEAP.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Using EAP-TEAP and EAP-TLS on the same service

    Posted Sep 11, 2023 10:23 PM
    Hi Herman,

    I have similar methods but no EAP-PEAP:

    1. EAP TLS (using OCSP)
    2. EAP TEAP (both using EAP-TLS)

    If I remove the EAP TLS and just use EAP TEAP, my test device (Windows 11) connects fine with both methods being successful (Computer + User). 

    When I have EAP TLS above EAP TEAP, I get the following error message for the same test device:

    eap-teap: Method 1 failed for transaction
    eap-teap: Method 1 failed for transaction
    eap-teap: Conflicting identities 'anonymous' and 'host/<ComputerName>.domain' in the request
    TLS session reuse error

    Any thoughts?

    Thanks.





  • 6.  RE: Using EAP-TEAP and EAP-TLS on the same service

    Posted Sep 12, 2023 08:31 AM

    Here is a client connecting with EAP-TLS on the SSID that I showed the service for:

    That client is a Windows 10, not Win11; but that should not make a big difference. From the logs it looks like the client is attempting TEAP, not EAP-TLS, and it the client that decides which authentication method to use.

    One other approach would be to split up the services into two..  you can do that by filtering on the anonymous username that you can set for TEAP:

    Radius:IETF User-Name BELONGS_TO anonymous,teap

    But EAP-TLS and TEAP in one service should just work...



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: Using EAP-TEAP and EAP-TLS on the same service

    Posted Sep 12, 2023 07:24 PM
    Hi Herman,

    My test Windows 11 client is configured for EAP-TEAP and should be using EAP-TEAP to authenticate. The issue only happens when I add EAP-TLS as an Authentication Methods. I found the client has the same behaviour regardless of the order of the EAP-TEAP and EAP-TLS methods.

    I might try contacting TAC.

    Thanks.





  • 8.  RE: Using EAP-TEAP and EAP-TLS on the same service

    Posted Sep 13, 2023 03:43 PM

    Couple of things to check:

    1. Here outer identity is anonymous. Is there an actual user account named "anonymous" in the auth sources configured for the service? 
    2. Can you double check the supplicant configuration to check if the trust is setup correctly. Recently heard about someone who ran into similar error and after working with TAC, problem was with the trusted root CA selection on supplicant. I would expect the error message to point out trust issues clearly, so I am not fully convinced that was the real root cause but worth double checking.



  • 9.  RE: Using EAP-TEAP and EAP-TLS on the same service
    Best Answer

    Posted Sep 13, 2023 07:20 PM
    Thanks for everyone's help, I managed to solve the issue. I'm not sure why but I had Endpoints Repository as an Authentication Source. Once removed I had no further issues.

    I'm still confused as to why it only caused an issue when I added EAP TLS as an Authentication Method. I would have thought it would cause an issue either way.





  • 10.  RE: Using EAP-TEAP and EAP-TLS on the same service

    Posted Mar 20, 2024 09:07 AM

    Running into exactly the same error.

    It seems to point to using the endpoints repository as the culprit. 
    Since my service is configured for TEAP (TLS both methods) and we are also doing InTune checks for iPads who use TLS.
    The InTune extension syncs with the endpoints repository so it is added as an auth source. Cannot add InTune as an auth source right now. 

    As soon as I remove the endpoints repository as an auth source, my windows client starts working again. 

    May have to separate the service and add a condition to check the IETF user-name as anonymous or teap (configured for teap currently) and simply reuse the same role mapping and enforcement policies. 




    ------------------------------
    Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
    ------------------------------



  • 11.  RE: Using EAP-TEAP and EAP-TLS on the same service

    Posted Mar 20, 2024 07:04 PM

    It sounds like like a very similar setup to my environment. I didn't have much luck with TAC, so I spoke with our pre-sales engineer who put me in touch with a higher level engineer. They suggested breaking out the service into two, similar to how you are thinking. I haven't had a chance to test it further.

    It does sort of feel like a bug. 




  • 12.  RE: Using EAP-TEAP and EAP-TLS on the same service

    Posted Sep 26, 2024 12:03 AM

    Exact same issue here, did anyone figure this out? When both TEAP and TLS are enabled in the same service, and Endpoints Repository is an Authentication source, TEAP fails with the 'conflicting identities' error. Removing TLS from the service resolves the issue. In my case removing the Endpoints Repository also breaks my TEAP, I am doing only Certificate authentication (no AD), then AzureAD/EntraID for Authorization. Apparently for that to work Endpoints Repository has to be an Authentication method. The workaround is configuring TEAP on it's own service (looking for the 'anonymous' username), but I'm curious how to get both TLS and TEAP working at the same time with this config. 




  • 13.  RE: Using EAP-TEAP and EAP-TLS on the same service

    Posted 2 days ago

    Ran into this issue within my client's lab this afternoon. Same exact scenario as yours - if I figure this out I will report back with the solution.