topic Re: windows machine use eap-tls & then peap during roaming in Network Access Control

windows machine use eap-tls & then peap during roaming

Andrii Oliinyk — Tue, 12 Mar 2024 19:55:07 GMT

time to learn again in my 57...
subject reflects conditions as how they can be seen from ISE perspective (no access to AD, its target computer etc to verify).
asset everytime authenticates with its machine account, but after initial EAP-TLS, when roaming. it switches to PEAP.
How can it be achieved on windows supplicant?

Re: windows machine use eap-tls & then peap during roaming

Arne Bier — Tue, 12 Mar 2024 21:12:27 GMT

Your question is quite strangely worded. Are you asking, whether a Windows supplicant can mysteriously switch from using EAP-TLS to EAP-PEAP when the endpoint is roaming?

My only guess is that perhaps there is an AnyConnect NAM installed on the endpoint and the machine auth is EAP-TLS, and the user auth is EAP-PEAP. The machine boots up with EAP-TLS. User logs in - EAP-PEAP is triggered. User remains logged in and then goes walkabout roaming).

Same could happen with EAP-TEAP and its EAP chaining support (similar to AnyConnect NAM)

Re: windows machine use eap-tls & then peap during roaming

Andrii Oliinyk — Wed, 13 Mar 2024 08:35:28 GMT

Hi Arne

Glad to see u came to help. It was late yesterday so that i mislooked 2nd method. It's PEAP-MSCHAPv2 according to ISE. But in the rest the situation is exactly like i declared - each time it's machine authentication. I spent tens of hours checking how EAP-FAST (AnyConnect) & EAP-TEAP (Windows) work. But there is no such a feature as concurrent method for the account type (machine|user). So how is it possible to setup Supplicant on windows so that it runs machine authentication with 2 different methods a time?
EAP-TLS one:
...
Username hostname.company.tld
Endpoint Id AA:BB:CC:DD:EE:FF
Endpoint Profile Windows11-Workstation
...
Authentication Method dot1x
Authentication Protocol EAP-TLS
...
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated

PEAP-MSCHAPv2 one:
...
Username host/hostname.company.tld
Endpoint Id AA:BB:CC:DD:EE:FF
Endpoint Profile Windows11-Workstation
...
Authentication Method dot1x
Authentication Protocol PEAP (EAP-MSCHAPv2)
...
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
...
24343 RPC Logon request succeeded - hostname$@company.tld (step latency=1990 ms Step latency=1990 ms)
...

Re: windows machine use eap-tls & then peap during roaming

Arne Bier — Wed, 13 Mar 2024 20:47:45 GMT

I still don't know exactly what you're confused about. What do you mean by "concurrent" ? EAP chaining does exactly that ... it sends both user and machine auth at the same time when the user is logged in.

In your example with username and MAC addresses etc., what are you describing there? Which part is machine auth and which part is user auth?

Re: windows machine use eap-tls & then peap during roaming

Andrii Oliinyk — Thu, 14 Mar 2024 16:27:19 GMT

Arne,
1) in both cases it's a machine account.
2) if u look on the live logs u see 1st EAP-TLS authC, then series of PEAP-MSCHAPv2 authCs due to roaming. all off them are machine's authCs!
3) under "concurrent" i mean exactly situation when wireless nic may authenticate either with EAP-TLS or PEAP-MSCHAPv2 at a time with its _computer_ account w/o reconfigurations in the middle.
hopefully now it's clear...

Re: windows machine use eap-tls & then peap during roaming

JPavonM — Fri, 15 Mar 2024 07:16:43 GMT

Is it EAP-TLS happening while in the login screen? If so then the Windows wireless profile is configured to use "user or computer authz" and SSO is enabled to authenticate in the login screen under "Advanced settings".

The weird thing here is how Windows is changing from EAP-TLS with computer authZ to PEAP with user authZ, and using TEAP is the only way to do that EAP-chaining in Windows 10:

Try to create a profile and set this off and use EAP-PEAP and username as authentication mode as "user authz" only if that is what you want, or EAP-TLS by choosing Smartcard.

Re: windows machine use eap-tls & then peap during roaming

Andrii Oliinyk — Fri, 15 Mar 2024 07:29:27 GMT

no access to any of endpoint-side relevant tools(
only we can see is process from ISE/WLAN perspective. Each time asset presents either host/computername.company.tld (which in this endpoint's case always accompanied with negotiated method PEAP-MSCHAPv2) or computername.company.tld (which in this endpoint's case always accompanied with negotiated method EAP-TLS). what i can conclude from above for 100% is it's every time computer's authC not user's. but this doesnt hint on how it can be configured on the NIC...

Re: windows machine use eap-tls & then peap during roaming

Andrii Oliinyk — Wed, 03 Apr 2024 11:45:33 GMT

other words, the windows supplicant that just failed (bc of authZ profile dictated so) with machine's PEAP-MSCHAPv2 & few moments later it authenticates with new session with machine's EAP-TLS. How can this sequence be achieved? any ... idieas pls?

Re: windows machine use eap-tls & then peap during roaming

Greg Gibbs — Wed, 03 Apr 2024 21:31:43 GMT

The Windows supplicant is not capable of automatically 'falling back' to another authentication method (EAP-TLS) if the first one ([PEAP]MSCHAPv2) fails. My guess would be either:

Some custom scripting has been done on the endpoint to trigger the reconfig of the supplicant settings based on some Windows event that is triggered by the auth failure. You would likely have to look into the Task Scheduler and Event Viewer to find that.
Another supplicant (like AnyConnect NAM) is installed and configured for different authC methods for Computer (PEAP) versus User (EAP-TLS) auth and the User certificate enrolled using the Computer FQDN instead of the User credential. That certificate is presented to ISE when the User logs in so it sees the computer FQDN as the identity.

For either scenario (or something else), there would be no way to validate the root cause without detailed investigation of the endpoint.