topic Re: Cisco ISE TEAP + EAP chaining in Network Access Control

Cisco ISE TEAP + EAP chaining

MehnazKhan2492 — Tue, 24 Jan 2023 01:50:57 GMT

Hello All,

We need some assistance and guidance as we are trying to test EAP chaining using EAP TEAP on ISE 3.1 P5 for windows 10 laptops with latest updates . We followed the following documents for EAP-TEAP configuration and pushing GPO for TEAP

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

https://community.cisco.com/t5/security-knowledge-base/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289

We notice that we are not able to get the user and machine authentication successful in one session , on ISE we only see machine authentication with host/machine name . Even though the user logs in successful there is no log on ISE. On Switch side , we do not see the actual username coming from endpoint, it is only anonymous which we see.

We checked the radius live log and we see a statement ' supplicant decline the inner EAP method' , we followed the GPO settings on Cisco community forum. Please note we never used wired802.1x using certs so not sure if user certificate is needed as we only have rootCA on machine. Please advise which inner EAP method is talked about here, I tried to allow all protocols under " allowed protocols" but nothing worked

There are zero hitcounts on user and machine succeeded policy and all logs are for user failed and machine successful

Please suggest, we also had a TAC case but no relevant information.

Regards

Mehnaz

Re: Cisco ISE TEAP + EAP chaining

Greg Gibbs — Tue, 24 Jan 2023 03:28:46 GMT

TEAP is an outer EAP method that uses either EAP-TLS or MSCHAPv2 as an inner method to provide credentials. If you are configuring the supplicant the same as the referenced documentation (authentication mode is 'User or computer authentication' and EAP method 'Smart card or other certificate'), then the supplicant is using TEAP(EAP-TLS) and you would need both a Computer and User certificate enrolled on the computer. If you do not have a User certificate, the supplicant is unable to provide a credential for User authentication.

Re: Cisco ISE TEAP + EAP chaining

dalbanil — Tue, 24 Jan 2023 04:24:48 GMT

Hello MehnazKhan2492, I hope you are doing well, I would suggest, if you are using native supplicant of windows, to configure it manually, without GPOs, this will allow you to play more with the settings and do test for the authentications using TEAP, with the different options and inner methods, once you make it work, with the easier way which is MSCHAPv2, then you can move to EAP-TLS where you'll require auto-enrollment and provide a certificate(separate process from MSFT CA), once you finish and feel comfortable with those tests and the successful authentications I'd recommend you to go ahead with the GPO.

Re: Cisco ISE TEAP + EAP chaining

MehnazKhan2492 — Wed, 25 Jan 2023 17:09:06 GMT

Thanks for the suggestion,

is there a document in Cisco Repository which talks about enrolling user certificates + TEAP as explained in https://community.cisco.com/t5/security-knowledge-base/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289

The above link does not add the user certificate using GPO.

Regards,

Mehnaz

Re: Cisco ISE TEAP + EAP chaining

Greg Gibbs — Thu, 26 Jan 2023 21:36:57 GMT

Information on creating Group Policy to auto-enroll User certificates with your Microsoft PKI (AD Certificate Services) is provided by Microsoft.

https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment