topic Re: Understanding TEAP in Network Access Control

Understanding TEAP

REJR77 — Wed, 02 Jun 2021 17:01:55 GMT

Hi Folks,

Managing machine authentication AND user authentication with EAP-TLS is a headache.

So I am considering TEAP (from the native windows supplicant), which may solve my headache if I correctly understand how it works.

I see that we need at least Windows 10 2004 and ISE 2.7.

Would it be possible to authenticate the machine with its certificate and the user with MS-CHAPv2 through TEAP?

Machine Cert would say "Ok, my computer is corporate", and User auth with MS-CHAPv2 would allow a more easy deployment without dealing with User certificate.

Thanks

Re: Understanding TEAP

Mike.Cifelli — Wed, 02 Jun 2021 18:22:28 GMT

Would it be possible to authenticate the machine with its certificate and the user with MS-CHAPv2 through TEAP?

-Yes. TEAP is the non-proprietary industry standard that will allow you to utilize eap-chaining (Allows user and machine authentication within one Radius/EAP session). Essentially allowing you to utilize the native supplicant on Windows machines instead of using EAP-FAST with the AnyConnect NAM module.

These two links should definitely guide you through the process of trial and error testing:

Using TEAP for EAP Chaining – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

Understanding EAP-FAST and Chaining implementations on AnyConnect NAM and ISE - Cisco (good for eap-chaining understanding)

HTH!

Re: Understanding TEAP

thomas — Sat, 05 Jun 2021 22:53:55 GMT

See TEAP for Windows 10 Group Policy and ISE 2.7 for EAP-Chaining