Security

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
Frequent Contributor II

[Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

Attached is a PDF on how to configure Clearpass authentication using EAP-TEAP, also known as EAP-Chaining.

 

Environment:

Device: Windows 10 Insider Preview 2004 build 19613.

CPPM: 6.9.0

 

EAP-TEAP (RFC: 7170) Abstract:

   This document defines the Tunnel Extensible Authentication Protocol
   (TEAP) version 1.  TEAP is a tunnel-based EAP method that enables
   secure communication between a peer and a server by using the
   Transport Layer Security (TLS) protocol to establish a mutually
   authenticated tunnel.  Within the tunnel, TLV objects are used to
   convey authentication-related data between the EAP peer and the EAP
   server.

 

 

EAP-TEAPv1 allows for the User and Machine to authenticate during the same session. This will make User + Machine authentication much more graceful.

 

Instead of relying on the Machine authentication cache in CPPM, you will get the authentication status on the first authentication attempt of both the User and Machine.

NOTE: My original post disappeared for some reason without notice, so I'm posting again. If I have violated a forum rule somehow please let me know.

ACEP, ACSP, ACCX #1239
Highlighted
Contributor I

Re: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

Very interesting, thanks for sharing!

I can see it being extremely useful in 802.1X (using EAP-TLS) , transitioning from wired to WLAN.

- Evan | ACEP, ACSP, ACCP, ACMP |
Highlighted
Frequent Contributor II

Re: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

No problem. EAP-TEAP is a game changer. 

 

I should also note that I worded my notes poorly around identity privacy. You shouldn't ever "untick" the box. It is an important security precaution so the username is not sent in plaintext. 

 

I will update the doc when I'm near my computer. 

ACEP, ACSP, ACCX #1239
Highlighted
Occasional Contributor II

Re: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

So what is the behaviour with TEAP if the client pc is not logged in? Then its only a computer authentication?

 

When it logs in, you get a computer and user authentication?

Highlighted
Frequent Contributor II

Re: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

Yes. The User method will be blank. In that regard you will handle it the same as previous EAP methods.

ACEP, ACSP, ACCX #1239
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: