Security

Hey,

I'm configuring EAP-TEAP in my lab-setup.
I have an AD server and a test-laptop who is joined into the test-AD.
My AD server is root-ca and distribute the client certificates as also signed the radius certificates on Clearpass.

EAP-TLS authentication for WiFi is working as a charm.
Since we are moving to EAP-TEAP, I want to configure this authentication method.

So created new GPO with settings I found on Herman Robbers video.

Pushed it and I'm sure it's well received by the client.

Also rebooted the laptop.

See setting in attachments for GPO.

I receive a reject from clearpass because it don't support the eap-method.
In the service the only authentication method is TEAP.

When I try to configure it manually on the PC eap-teap, it works but takes longer time then EAP-TLS.

I see a timeout for the outer method and then an accept for the inner method.

The delay is caused by the timeout of the outher method.

I used exactly the same config as in the GPO.

The identity anonymous I don't want to disable it, also not possible in the GPO.

So what I'm missing?

Clearpass is running 6.12.2

Hi

TEAP require that both the computer and the user has a certificates. Have you confirmed that the computer also has a certificate?

On your test client, also check if you have multiple computer certificates. If you have several, the computer may not be able to select the correct certificate.

I can see two root CA certificates for Lab-Root-CA, are they identical or do you have two versions of the same CA but with two different certificates?

Can you share the service configuration as well as the Access Tracker output when the clients got accepted?

Hey,

I'm configuring EAP-TEAP in my lab-setup.
I have an AD server and a test-laptop who is joined into the test-AD.
My AD server is root-ca and distribute the client certificates as also signed the radius certificates on Clearpass.

EAP-TLS authentication for WiFi is working as a charm.
Since we are moving to EAP-TEAP, I want to configure this authentication method.

So created new GPO with settings I found on Herman Robbers video.

Pushed it and I'm sure it's well received by the client.

Also rebooted the laptop.

See setting in attachments for GPO.

I receive a reject from clearpass because it don't support the eap-method.
In the service the only authentication method is TEAP.

When I try to configure it manually on the PC eap-teap, it works but takes longer time then EAP-TLS.

I see a timeout for the outer method and then an accept for the inner method.

The delay is caused by the timeout of the outher method.

I used exactly the same config as in the GPO.

The identity anonymous I don't want to disable it, also not possible in the GPO.

So what I'm missing?

Clearpass is running 6.12.2

Hi,

Computer has a certificate. The user hasn't a certificate.

But with local wifi policy I see that method 1 succeed and method 2 fails.
But is completly normal.

With the GPO I don't see anything execpt not correct authentication method.

Hi

TEAP require that both the computer and the user has a certificates. Have you confirmed that the computer also has a certificate?

On your test client, also check if you have multiple computer certificates. If you have several, the computer may not be able to select the correct certificate.

I can see two root CA certificates for Lab-Root-CA, are they identical or do you have two versions of the same CA but with two different certificates?

Can you share the service configuration as well as the Access Tracker output when the clients got accepted?

Hey,

I'm configuring EAP-TEAP in my lab-setup.
I have an AD server and a test-laptop who is joined into the test-AD.
My AD server is root-ca and distribute the client certificates as also signed the radius certificates on Clearpass.

EAP-TLS authentication for WiFi is working as a charm.
Since we are moving to EAP-TEAP, I want to configure this authentication method.

So created new GPO with settings I found on Herman Robbers video.

Pushed it and I'm sure it's well received by the client.

Also rebooted the laptop.

See setting in attachments for GPO.

I receive a reject from clearpass because it don't support the eap-method.
In the service the only authentication method is TEAP.

When I try to configure it manually on the PC eap-teap, it works but takes longer time then EAP-TLS.

I see a timeout for the outer method and then an accept for the inner method.

The delay is caused by the timeout of the outher method.

I used exactly the same config as in the GPO.

The identity anonymous I don't want to disable it, also not possible in the GPO.

So what I'm missing?

Clearpass is running 6.12.2

Hi

EAP-TEAP performs both computer and user autentication at the same time, thus both identities must be able to authticate. If the user doesn't have a certificate this authenitcation will fail.

The authentication for the computer is working but the user must have a certificate to be able to authenticate with the settings you have in the 802.1x TEAP profile:

With the settings above you have specified that TEAP Method-1 (the computer) should authenticate with a certificate as well as in TEAP Method-2 (for the user).

If the user doesn't have a certificate only the computer authentication will take place, exactly as in your screenshot:

Issue a certificate to the user and hopefully it will work as intended.

Hi,

Computer has a certificate. The user hasn't a certificate.

But with local wifi policy I see that method 1 succeed and method 2 fails.
But is completly normal.

With the GPO I don't see anything execpt not correct authentication method.

Hi

TEAP require that both the computer and the user has a certificates. Have you confirmed that the computer also has a certificate?

On your test client, also check if you have multiple computer certificates. If you have several, the computer may not be able to select the correct certificate.

I can see two root CA certificates for Lab-Root-CA, are they identical or do you have two versions of the same CA but with two different certificates?

Can you share the service configuration as well as the Access Tracker output when the clients got accepted?

Hey,

I'm configuring EAP-TEAP in my lab-setup.
I have an AD server and a test-laptop who is joined into the test-AD.
My AD server is root-ca and distribute the client certificates as also signed the radius certificates on Clearpass.

EAP-TLS authentication for WiFi is working as a charm.
Since we are moving to EAP-TEAP, I want to configure this authentication method.

So created new GPO with settings I found on Herman Robbers video.

Pushed it and I'm sure it's well received by the client.

Also rebooted the laptop.

See setting in attachments for GPO.

I receive a reject from clearpass because it don't support the eap-method.
In the service the only authentication method is TEAP.

When I try to configure it manually on the PC eap-teap, it works but takes longer time then EAP-TLS.

I see a timeout for the outer method and then an accept for the inner method.

The delay is caused by the timeout of the outher method.

I used exactly the same config as in the GPO.

The identity anonymous I don't want to disable it, also not possible in the GPO.

So what I'm missing?

Clearpass is running 6.12.2

Ok I will try that.

But I will not have an user certificate when I must login into the windows computer.
Because there isn't a user logged in.

I'm a correct?

Hi

EAP-TEAP performs both computer and user autentication at the same time, thus both identities must be able to authticate. If the user doesn't have a certificate this authenitcation will fail.

The authentication for the computer is working but the user must have a certificate to be able to authenticate with the settings you have in the 802.1x TEAP profile:

With the settings above you have specified that TEAP Method-1 (the computer) should authenticate with a certificate as well as in TEAP Method-2 (for the user).

If the user doesn't have a certificate only the computer authentication will take place, exactly as in your screenshot:

Issue a certificate to the user and hopefully it will work as intended.

Hi,

Computer has a certificate. The user hasn't a certificate.

But with local wifi policy I see that method 1 succeed and method 2 fails.
But is completly normal.

With the GPO I don't see anything execpt not correct authentication method.

Hi

TEAP require that both the computer and the user has a certificates. Have you confirmed that the computer also has a certificate?

On your test client, also check if you have multiple computer certificates. If you have several, the computer may not be able to select the correct certificate.

I can see two root CA certificates for Lab-Root-CA, are they identical or do you have two versions of the same CA but with two different certificates?

Can you share the service configuration as well as the Access Tracker output when the clients got accepted?

Hey,

I'm configuring EAP-TEAP in my lab-setup.
I have an AD server and a test-laptop who is joined into the test-AD.
My AD server is root-ca and distribute the client certificates as also signed the radius certificates on Clearpass.

EAP-TLS authentication for WiFi is working as a charm.
Since we are moving to EAP-TEAP, I want to configure this authentication method.

So created new GPO with settings I found on Herman Robbers video.

Pushed it and I'm sure it's well received by the client.

Also rebooted the laptop.

See setting in attachments for GPO.

I receive a reject from clearpass because it don't support the eap-method.
In the service the only authentication method is TEAP.

When I try to configure it manually on the PC eap-teap, it works but takes longer time then EAP-TLS.

I see a timeout for the outer method and then an accept for the inner method.

The delay is caused by the timeout of the outher method.

I used exactly the same config as in the GPO.

The identity anonymous I don't want to disable it, also not possible in the GPO.

So what I'm missing?

Clearpass is running 6.12.2

Yes, you are correct. 

In your role mapping and enforcement policies you have to handle the different cases:

1. Method 1 Successful, Method 2 Failed
2. Method 1 Successful, Method 2 Successful
3. Method 1 Failed, Method 2 Successful

If you are working with roles you can assign a role with limited access in the first case where just the machine authentication is successful to allow the user to get the certificate.

In the second case where both methods are successful, you assign the correct role the user should have. I case you have multiple roles depending on group membership for the users, you return different roles depending on the groups.

In most cases the third option would be a case where the computer certificate has expired. Maybe a computer that haven't been in use for a while. This computer must be able to enroll for a new certificate, thus a limited role for certificate enrollment and other system updates may be the best option.

Exactly what you implement in the different scenarios is up to you.

Compared to the older way with just EAP-TLS and both user and computer autentication it's easier to implement the enrollment of the user certificate. With just EAP-TLS the user authentication would fail, and the user be denied access. Unless you allow a MAC authentication for enrollment of certificates.

Ok I will try that.

But I will not have an user certificate when I must login into the windows computer.
Because there isn't a user logged in.

I'm a correct?

Hi

EAP-TEAP performs both computer and user autentication at the same time, thus both identities must be able to authticate. If the user doesn't have a certificate this authenitcation will fail.

The authentication for the computer is working but the user must have a certificate to be able to authenticate with the settings you have in the 802.1x TEAP profile:

With the settings above you have specified that TEAP Method-1 (the computer) should authenticate with a certificate as well as in TEAP Method-2 (for the user).

If the user doesn't have a certificate only the computer authentication will take place, exactly as in your screenshot:

Issue a certificate to the user and hopefully it will work as intended.

Hi,

Computer has a certificate. The user hasn't a certificate.

But with local wifi policy I see that method 1 succeed and method 2 fails.
But is completly normal.

With the GPO I don't see anything execpt not correct authentication method.

Hi

TEAP require that both the computer and the user has a certificates. Have you confirmed that the computer also has a certificate?

On your test client, also check if you have multiple computer certificates. If you have several, the computer may not be able to select the correct certificate.

I can see two root CA certificates for Lab-Root-CA, are they identical or do you have two versions of the same CA but with two different certificates?

Can you share the service configuration as well as the Access Tracker output when the clients got accepted?

Hey,

I'm configuring EAP-TEAP in my lab-setup.
I have an AD server and a test-laptop who is joined into the test-AD.
My AD server is root-ca and distribute the client certificates as also signed the radius certificates on Clearpass.

EAP-TLS authentication for WiFi is working as a charm.
Since we are moving to EAP-TEAP, I want to configure this authentication method.

So created new GPO with settings I found on Herman Robbers video.

Pushed it and I'm sure it's well received by the client.

Also rebooted the laptop.

See setting in attachments for GPO.

I receive a reject from clearpass because it don't support the eap-method.
In the service the only authentication method is TEAP.

When I try to configure it manually on the PC eap-teap, it works but takes longer time then EAP-TLS.

I see a timeout for the outer method and then an accept for the inner method.

The delay is caused by the timeout of the outher method.

I used exactly the same config as in the GPO.

The identity anonymous I don't want to disable it, also not possible in the GPO.

So what I'm missing?

Clearpass is running 6.12.2