topic Re: EAP-TEAP: First time user login/chicken & egg scenario in Network Access Control

EAP-TEAP: First time user login/chicken & egg scenario

DanMN — Tue, 28 Sep 2021 08:59:38 GMT

Does EAP-TEAP solve the first time user login scenario when using EAP-TLS?

So, you image a new Windows PC, it gets the machine certificate and always authenticates fine. Then, a new user is given that device that's authenticated successfully and tries to login. The authentication fails because the User certificate isn't downloaded before network access is taken away.

I know you can put an ISE chaining policy with 'user failed, machine successful'. Will the device keep this access when the user auth fails so the certificate can be downloaded? And if the certificate has downloaded, will it attempt another User authentication so that SGTs/ACLs can be applied? Or would they need to log off/have the 'user failed, machine successful' policy force re-authentication?

Thanks

Re: EAP-TEAP: First time user login/chicken

Mohammed al Baqari — Tue, 28 Sep 2021 12:08:24 GMT

Hi,

Yes, with chaining the user should logout and in to trigger CoA and get new
dacls or wait for reauthenticate timer.

Re: EAP-TEAP: First time user login/chicken

DanMN — Tue, 28 Sep 2021 12:12:21 GMT

Thank you for clearing that up. It's kind of frustrating that this is the best option we have for this sort of thing at the moment.

What alternative is there that would mean the user doesn't need to relogin/have a very short reauthentication timer on Machine only auths? Use MS-CHAPv2 for the User authentication and EAP-TLS for the computer? I don't think MS-CHAPv2 is generally recommended anymore?

Re: EAP-TEAP: First time user login/chicken

Arne Bier — Fri, 15 Oct 2021 06:03:05 GMT

Hi @DanMN

As far as I know and have tested, if the native Windows supplicant is set to user or machine auth, and EAP-TLS is used (certificate based auth) then Windows doesn't perform a network authentication when a user logs in at the locked screen. AFAIK this actually only work with EAP-PEAP (AD machine account used at bootup and logoff, and user AD account used at login)

I have not yet tried EAP-TEAP but I believe that cert based auth can be used for both user and machine auth.

Re: EAP-TEAP: First time user login/chicken & egg scenario

Greg Gibbs — Sun, 17 Oct 2021 21:30:08 GMT

From the testing I've done with TEAP-EAP-TLS and the 'user or computer' setting with expired/missing user certs, you can use the 'user failed and machine succeeded' chaining result to provide access when the user cert is not enrolled. After the certificate is enrolled, however, the native supplicant does not automatically trigger another authentication event. I have not tried pushing a short reauth period in that state, but it might be tricky as the cert is enrolled via GPO which uses it's own timers.

You might have a look at what windows logs trigger in this scenario to see if there is a specific event or set of events you could use to force a GPO update and cert enrollment, then force a restart of the Wired AutoConfig service.

Re: EAP-TEAP: First time user login/chicken & egg scenario

x00008037 — Thu, 10 Feb 2022 09:03:02 GMT

Hey seen this thread. I would be interested to see your Authorization policy that allows a certain user in a AD group to get an SGT and to get authorized while using eap-chaining and teap.

Im trying to figure out the best Autz policy to create to authorize a user and push and SGT for that particular AD group.

any help appreciated.

Re: EAP-TEAP: First time user login/chicken & egg scenario

Greg Gibbs — Thu, 10 Feb 2022 21:50:52 GMT

This is the AuthZ Policy for my TEAP use case described earlier. I'm just using the top-level Domain Computers and Domain Users, but you could use more specific AD group matches if you prefer.

Re: EAP-TEAP: First time user login/chicken & egg scenario

x00008037 — Fri, 11 Feb 2022 00:57:22 GMT

thanks for that Greg that clears it up. I wasn't sure how particular you could get with the AD groups. As we will be pushing an SGT to a user , based on their AD group. The machine will do cert based authentication

Re: EAP-TEAP: First time user login/chicken & egg scenario

nlyubchak@aligntech.com — Mon, 29 May 2023 09:26:36 GMT

Hello DanMN,

Could you please specify if you find some solution to solve chicken-egg issue for the first user's login?

I am stuck with the same issue and wondering if we have any good/effective solution to manage it...

Re: EAP-TEAP: First time user login/chicken & egg scenario

icarimo — Thu, 30 Jan 2025 09:36:26 GMT

Hello Greg,

Thank you for the reply.

I don´t if this will work in my scnerario, because, as soon as the computer perfoms the first logins, the device tries to connect to Wi-Fi using a user certificate, however the computer do not initiate the wif-fi authentication, so no packet will reach the Cisco ISE.

Since the computer do not have any user certificate, it does not initiate the wifi connection

Re: EAP-TEAP: First time user login/chicken & egg scenario

Greg Gibbs — Thu, 30 Jan 2025 21:57:25 GMT

@icarimo

I have used this flow with TEAP(EAP-TLS) and the 'User failed and computer succeeded' EAP Chaining result for both Wired and Wireless use cases to permit access based on the initial Computer certificate authentication and a missing or expired User certificate multiple times.

Re: EAP-TEAP: First time user login/chicken & egg scenario

MSJ1 — Tue, 14 Apr 2026 21:19:46 GMT

i have a problem as per attached when I remove user cert from a device's user cert store just to mimic the scenario of "no user cert".

I can see it matches the AuthZ named - "TEAP Entra Joined Device" when device boot up and but when user logs in Authz session does not change as per ISE log.

But when a device has a User Cert stored, it perfectly matches another AuthZ Policy which is for user and devices succeeded for Eap Chaining Result.

Note that i have reauthentication timer setup for "TEAP Entra User Failed" AuthZ policy so that it can reauthenticate again assuming user cert will be downloaded before the reauth timer.

Please suggest any clue.

Re: EAP-TEAP: First time user login/chicken & egg scenario

Greg Gibbs — Tue, 14 Apr 2026 22:31:09 GMT

ISE version, patch?
Endpoint OS, version, configuration?
What do the log details look like for the session?
What does the EAP Chaining Result reflect in the logs?
Have you searched for any bugs related to this issue?
What other troubleshooting have you done?

This is the kind of information you should provide for any posts in order for community to provide any meaningful help. If you need urgent assistance, call TAC.

Re: EAP-TEAP: First time user login/chicken & egg scenario

MSJ1 — Tue, 14 Apr 2026 23:01:58 GMT

ISE version, patch? - 3.5 patch 2

Endpoint OS, version, configuration? - Windows 11 , Supplicant Config set as TEAP with EAP-TLS for both primary and secondary auth and auth mode is user or computer authentication.

What do the log details look like for the session? - Log still shows identity as machine name it ( ISE log ) does not change when user logs in to the machine.

What does the EAP Chaining Result reflect in the logs? - it shows - EapChainingResult User failed and machine succeeded

Have you searched for any bugs related to this issue? - not yet

What other troubleshooting have you done? - if I set reauth timer for authZ Policy - TEAP Entra Joined Device it gets reauthenticated within the set timer and if cert is downloaded before that it matches the eap chain result with both user and machine succeeded.

Re: EAP-TEAP: First time user login/chicken & egg scenario

Greg Gibbs — Wed, 15 Apr 2026 22:16:42 GMT

I had another look at your AuthZ Policy screenshot.

You're matching on the User group lookup condition (Cisco_xxx_EntraID) instead of a device lookup condition (Cisco_xxx_EntraIDDevice) in that rule. You're not getting user identity, so that condition will not match. You need to either remove that condition or change it to one that matches on the device.

Re: EAP-TEAP: First time user login/chicken & egg scenario

MSJ1 — Fri, 17 Apr 2026 03:02:17 GMT

Hello Greg,

I tried to follow as you suggested. I removed User group lookup condition from AuthZ Rule - " TEAP Entra User Failed."

When device is powered on it matches " TEAP Entra User Failed." and when user is logged in if there is no user cert it still stays on this AuthZ Rule - " TEAP Entra User Failed."

if I bring rule 2 - "TEAP Entra Joined Device" before " TEAP Entra User Failed." it matches "TEAP Entra Joined Device" rule.