Security

Hello Guys,

I want to have two SSID in my network and I am implementing EAP-TEAP which was successful so far. But currently using EAP-PEAP. 

My plan is to rolled out users slowly until we have one SSID with EAP-TEAP and EAP-PEAP. Users will first hit TEAP first then if fails, hit the EAP_PEAP rule.

When I added the authentication outherMethod in my service, I get rejected. It does not even the rule anymore. Is there something I am doing wrong with the outerMethod.

I have also attached my logs in this thread.

Thank You in advance.

Hello Guys,

I want to have two SSID in my network and I am implementing EAP-TEAP which was successful so far. But currently using EAP-PEAP. 

My plan is to rolled out users slowly until we have one SSID with EAP-TEAP and EAP-PEAP. Users will first hit TEAP first then if fails, hit the EAP_PEAP rule.

When I added the authentication outherMethod in my service, I get rejected. It does not even the rule anymore. Is there something I am doing wrong with the outerMethod.

I have also attached my logs in this thread.

Thank You in advance.

Pretty sure that Authentication:OuterMethod isn't available during service categorization, you'll need to handle all EAP methods in the same service.

Hello Guys,

I want to have two SSID in my network and I am implementing EAP-TEAP which was successful so far. But currently using EAP-PEAP. 

My plan is to rolled out users slowly until we have one SSID with EAP-TEAP and EAP-PEAP. Users will first hit TEAP first then if fails, hit the EAP_PEAP rule.

When I added the authentication outherMethod in my service, I get rejected. It does not even the rule anymore. Is there something I am doing wrong with the outerMethod.

I have also attached my logs in this thread.

Thank You in advance.

@chulcher oh okay no problem thank you. Do you have to know where I can find the documentation on it as I want to know more.

Thank You

Pretty sure that Authentication:OuterMethod isn't available during service categorization, you'll need to handle all EAP methods in the same service.

Hello Guys,

I want to have two SSID in my network and I am implementing EAP-TEAP which was successful so far. But currently using EAP-PEAP. 

My plan is to rolled out users slowly until we have one SSID with EAP-TEAP and EAP-PEAP. Users will first hit TEAP first then if fails, hit the EAP_PEAP rule.

When I added the authentication outherMethod in my service, I get rejected. It does not even the rule anymore. Is there something I am doing wrong with the outerMethod.

I have also attached my logs in this thread.

Thank You in advance.

Hello Guys,

I want to have two SSID in my network and I am implementing EAP-TEAP which was successful so far. But currently using EAP-PEAP. 

My plan is to rolled out users slowly until we have one SSID with EAP-TEAP and EAP-PEAP. Users will first hit TEAP first then if fails, hit the EAP_PEAP rule.

When I added the authentication outherMethod in my service, I get rejected. It does not even the rule anymore. Is there something I am doing wrong with the outerMethod.

I have also attached my logs in this thread.

Thank You in advance.

As TEAP has a mandatory Anonymous identity these days in Windows 10/11, you can also filter on the anonymous user-name in your service (IETF:User-Name EQUALS anonymous), change anonymous to another name if you changed the anonymous identity.

Hello Guys,

I want to have two SSID in my network and I am implementing EAP-TEAP which was successful so far. But currently using EAP-PEAP. 

My plan is to rolled out users slowly until we have one SSID with EAP-TEAP and EAP-PEAP. Users will first hit TEAP first then if fails, hit the EAP_PEAP rule.

When I added the authentication outherMethod in my service, I get rejected. It does not even the rule anymore. Is there something I am doing wrong with the outerMethod.

I have also attached my logs in this thread.

Thank You in advance.

If I filter with anonymous, would I still be able to hit the rule and get the user auth and the computer auth.

As TEAP has a mandatory Anonymous identity these days in Windows 10/11, you can also filter on the anonymous user-name in your service (IETF:User-Name EQUALS anonymous), change anonymous to another name if you changed the anonymous identity.

Hello Guys,

I want to have two SSID in my network and I am implementing EAP-TEAP which was successful so far. But currently using EAP-PEAP. 

My plan is to rolled out users slowly until we have one SSID with EAP-TEAP and EAP-PEAP. Users will first hit TEAP first then if fails, hit the EAP_PEAP rule.

When I added the authentication outherMethod in my service, I get rejected. It does not even the rule anymore. Is there something I am doing wrong with the outerMethod.

I have also attached my logs in this thread.

Thank You in advance.

Yes, you can as it's only used to get the request in the correct service, where you can do TEAP (or whatever other authentication method). This is how it looks in my lab ClearPass server:

This service will either be selected with the anonymous identity set to anonymous or to teap. After that, I have computer and user authentication via TEAP. Then if you put your older (PEAP) service below this service, the PEAP request will 'faillthrough' and be handled through that service.

If I filter with anonymous, would I still be able to hit the rule and get the user auth and the computer auth.

As TEAP has a mandatory Anonymous identity these days in Windows 10/11, you can also filter on the anonymous user-name in your service (IETF:User-Name EQUALS anonymous), change anonymous to another name if you changed the anonymous identity.

Hello Guys,

I want to have two SSID in my network and I am implementing EAP-TEAP which was successful so far. But currently using EAP-PEAP. 

My plan is to rolled out users slowly until we have one SSID with EAP-TEAP and EAP-PEAP. Users will first hit TEAP first then if fails, hit the EAP_PEAP rule.

When I added the authentication outherMethod in my service, I get rejected. It does not even the rule anymore. Is there something I am doing wrong with the outerMethod.

I have also attached my logs in this thread.

Thank You in advance.

Note, enabling identity privacy (using an anonymous username) when using PEAP is also a good idea as one of the first steps for making PEAP as secure as can be.

Yes, you can as it's only used to get the request in the correct service, where you can do TEAP (or whatever other authentication method). This is how it looks in my lab ClearPass server:

This service will either be selected with the anonymous identity set to anonymous or to teap. After that, I have computer and user authentication via TEAP. Then if you put your older (PEAP) service below this service, the PEAP request will 'faillthrough' and be handled through that service.

If I filter with anonymous, would I still be able to hit the rule and get the user auth and the computer auth.

As TEAP has a mandatory Anonymous identity these days in Windows 10/11, you can also filter on the anonymous user-name in your service (IETF:User-Name EQUALS anonymous), change anonymous to another name if you changed the anonymous identity.

Hello Guys,

I want to have two SSID in my network and I am implementing EAP-TEAP which was successful so far. But currently using EAP-PEAP. 

My plan is to rolled out users slowly until we have one SSID with EAP-TEAP and EAP-PEAP. Users will first hit TEAP first then if fails, hit the EAP_PEAP rule.

When I added the authentication outherMethod in my service, I get rejected. It does not even the rule anymore. Is there something I am doing wrong with the outerMethod.

I have also attached my logs in this thread.

Thank You in advance.

Even better is moving to EAP-TLS with anonymous identity ;) That is what we are doing. CPPM needs dome coaxing though, because it uses the outer identity by default for authentication, etc.

Note, enabling identity privacy (using an anonymous username) when using PEAP is also a good idea as one of the first steps for making PEAP as secure as can be.

Yes, you can as it's only used to get the request in the correct service, where you can do TEAP (or whatever other authentication method). This is how it looks in my lab ClearPass server:

This service will either be selected with the anonymous identity set to anonymous or to teap. After that, I have computer and user authentication via TEAP. Then if you put your older (PEAP) service below this service, the PEAP request will 'faillthrough' and be handled through that service.

If I filter with anonymous, would I still be able to hit the rule and get the user auth and the computer auth.

As TEAP has a mandatory Anonymous identity these days in Windows 10/11, you can also filter on the anonymous user-name in your service (IETF:User-Name EQUALS anonymous), change anonymous to another name if you changed the anonymous identity.

Hello Guys,

I want to have two SSID in my network and I am implementing EAP-TEAP which was successful so far. But currently using EAP-PEAP. 

My plan is to rolled out users slowly until we have one SSID with EAP-TEAP and EAP-PEAP. Users will first hit TEAP first then if fails, hit the EAP_PEAP rule.

When I added the authentication outherMethod in my service, I get rejected. It does not even the rule anymore. Is there something I am doing wrong with the outerMethod.

I have also attached my logs in this thread.

Thank You in advance.

Thank You Guys for all your input. 

@Herman Robers can you share me the documentation on how you implemented your EAP-TEAP with WPA3?

Even better is moving to EAP-TLS with anonymous identity ;) That is what we are doing. CPPM needs dome coaxing though, because it uses the outer identity by default for authentication, etc.

Note, enabling identity privacy (using an anonymous username) when using PEAP is also a good idea as one of the first steps for making PEAP as secure as can be.

Yes, you can as it's only used to get the request in the correct service, where you can do TEAP (or whatever other authentication method). This is how it looks in my lab ClearPass server:

This service will either be selected with the anonymous identity set to anonymous or to teap. After that, I have computer and user authentication via TEAP. Then if you put your older (PEAP) service below this service, the PEAP request will 'faillthrough' and be handled through that service.

If I filter with anonymous, would I still be able to hit the rule and get the user auth and the computer auth.

As TEAP has a mandatory Anonymous identity these days in Windows 10/11, you can also filter on the anonymous user-name in your service (IETF:User-Name EQUALS anonymous), change anonymous to another name if you changed the anonymous identity.

Hello Guys,

I want to have two SSID in my network and I am implementing EAP-TEAP which was successful so far. But currently using EAP-PEAP. 

My plan is to rolled out users slowly until we have one SSID with EAP-TEAP and EAP-PEAP. Users will first hit TEAP first then if fails, hit the EAP_PEAP rule.

When I added the authentication outherMethod in my service, I get rejected. It does not even the rule anymore. Is there something I am doing wrong with the outerMethod.

I have also attached my logs in this thread.

Thank You in advance.