topic Cisco 3.2 - TEAP ( EAP-TLS for machine and MS-CHAPv2 for users ) in Network Access Control

Cisco 3.2 - TEAP ( EAP-TLS for machine and MS-CHAPv2 for users )

mtar — Tue, 24 Oct 2023 13:46:59 GMT

Hello!

Currently we are designing a brand new deployment of ISE 3.2 with windows native dot1x client.

My questions is: Is it possible to use TEAP as an outer method and EAP-TLS(cert based) for computers and MS-CHAPv2 for users as inner method?

I have read in a forum that the windows native client does not support multiple inner methods, only one.

And we dont want to you EAP-TLS for user authentication. The goal is to use the AD as a single point of truth regarding the users.

Another question is: If we use EAP-TLS - certificate based - machine auth, is it mandatory to configure a Certificate Authentication Profile?

Another question is: If we use EAP-TLS - certificate based - machine auth, does the machine object need to exist in the AD?

Thank you.

Re: Cisco 3.2 - TEAP ( EAP-TLS for machine and MS-CHAPv2 for users )

Rob Ingram — Tue, 24 Oct 2023 13:49:27 GMT

@mtar yes you can use TEAP, with certificates for machine authentication and MSCHAPv2 for user authentication.

Re: Cisco 3.2 - TEAP ( EAP-TLS for machine and MS-CHAPv2 for users )

mtar — Tue, 24 Oct 2023 14:42:39 GMT

Thank you!

In that case how would my authentication policy would look like?

One line is enough to handle the two kind of protocols with the proper Server Sequence? Iike here:

I mean, I don't have to create a separate rule for the user and the machine auth?

Thanks

Re: Cisco 3.2 - TEAP ( EAP-TLS for machine and MS-CHAPv2 for users )

Rob Ingram — Tue, 24 Oct 2023 14:47:29 GMT

@mtar you may wish to have 2 rules in the authentication policy, one for EAP-TLS which uses a certificate authentication profile (CAP) for authentication and lookups (if required) and another for MSCHAPv2 which authenticates against AD.

Re: Cisco 3.2 - TEAP ( EAP-TLS for machine and MS-CHAPv2 for users )

mtar — Tue, 24 Oct 2023 14:51:46 GMT

If I understand correctly, the above showed "one rule" design is working too right?

It is it not necessary to have a rule for each kind of auth.

Re: Cisco 3.2 - TEAP ( EAP-TLS for machine and MS-CHAPv2 for users )

thomas — Tue, 07 Nov 2023 14:21:42 GMT

You will need 2 separate Authentication Rules in your ISE Policy Set - one for each EAP inner method. The reason is that EAP-TLS will need to be associated with a Certificate Authentication Profile (CAP) - the default Preloaded_Certificate_Profile should work - while your MS-CHAPv2 auth will need to be associated with an Identity Store (Internal, AD, etc.) or sequence.

You may combine the Certificate Profile and Identity Store(s) into a single Identity Source Sequence but depending on how many other authentication rules are in your policy set, it may become a lot of extra processing for each authentication. I prefer to see each auth by protocol unless they are all the same protocol and it's more of a convenience to use an ordered set of Identity Stores with the same protocol (MS-CHAPv2 for AD1 then AD2 then Internal Users, etc.)

For an authorization rule example, see ISE Authentication and Authorization Policy Reference > TEAP-Chaining with Tunneled EAP (TEAP)

Re: Cisco 3.2 - TEAP ( EAP-TLS for machine and MS-CHAPv2 for users )

ahollifield — Tue, 07 Nov 2023 15:35:01 GMT

It would be best practice not to deploy MS-CHAPv2. Its broken from an encryption prospective and is effectively disabled by Microsoft via Credential Guard (unless you choose to disable). A better option would be to use user and computer certificates within TEAP instead.

Re: Cisco 3.2 - TEAP ( EAP-TLS for machine and MS-CHAPv2 for users )

mtar — Fri, 10 Nov 2023 08:31:47 GMT

Using User certificates for user authentication is not an option unfortunatelly 😞

Is there are other secure alternatives to MsChapv2 which you would recommend?

Re: Cisco 3.2 - TEAP ( EAP-TLS for machine and MS-CHAPv2 for users )

mtar — Fri, 10 Nov 2023 10:15:59 GMT

That makes sense, thank you very much!

Re: Cisco 3.2 - TEAP ( EAP-TLS for machine and MS-CHAPv2 for users )

ahollifield — Wed, 15 Nov 2023 17:38:46 GMT

Why not? The alternative is TLS based auth or SAML via Captive Portal.

Re: Cisco 3.2 - TEAP ( EAP-TLS for machine and MS-CHAPv2 for users )

aputra — Thu, 17 Oct 2024 10:54:31 GMT

What are the TEAP properties settings under client authentication (primary and secondary EAP) of the windows supplicant if machine authentication using TLS and user using MSCHAPv2? Thanks in advance.

Re: Cisco 3.2 - TEAP ( EAP-TLS for machine and MS-CHAPv2 for users )

Aref Alsouqi — Thu, 17 Oct 2024 11:12:54 GMT

The primary method refers to the user and the secondary refers to machine, so in your case primary would be configured with MSCHAPv2 and secondary with EAP-TLS.

Re: Cisco 3.2 - TEAP ( EAP-TLS for machine and MS-CHAPv2 for users )

aputra — Thu, 17 Oct 2024 13:51:48 GMT

Thank you!

Re: Cisco 3.2 - TEAP ( EAP-TLS for machine and MS-CHAPv2 for users )

Aref Alsouqi — Thu, 17 Oct 2024 14:30:35 GMT

You're welcome.