Solved: Best practices in configuring PEAP-EAP-TLS

joandwifi · ‎05-14-2024

I need to know if the rule I configured and validated is a good configuration practice in a production environment, can you check and help me feel more at ease?

I set up a laboratory to connect via PEAP EAP-TLS, it worked in the lab, but I would like tips so I can take it to the real production scenario, follow the configurations I made in the laboratory:

1 - I created the GPO

2 - I configured the machine's authentication (PEAP EAP-TLS), and in this authentication I am sending the certificate.

3 - I applied gpupdate /force, and saw that the settings were replicated on my Windows virtual machine.

5 - In ISE, I configured the certificate and identity sequence.

6 - Then I created the rule to validate the computer or user. In a real scenario the rule will be like this: 1 - If the machine connects and has BR, it will receive vlan X. 2 - If you do not authenticate the machine, and only the user, you will receive VLAN Y.

OBS: There is an extra rule that didn't work, however, that's the logic.

7 - Both rules worked (with machine in the result computer | and on the cell phone with the result user)

I would like to know if this concept would work in a real scenario, or if there is any way to improve the rule?

Arne Bier · ‎05-14-2024

It's not so much a "non-standard" as a question of why don't you use standard EAP-TLS, instead of PEAP-EAP-TLS? Even AnyConnect will support EAP-TLS. But regardless of that, if it works for you then that's cool. I don't know if EAP-PEAP will present an issue for you in Windows 11, because Microsoft are trying to enforce things like Credential Guard - and when EAP-PEAP MSCHAPv2 is used, then it will fail when Credential Guard is used - the supplicant will have no access to the user credentials for MSCHAPv2.

And the other point was that when you are performing Authentication, you do not need to Authenticate against AD. It's enough to authenticate against the certificate, and then extract the username from Subject or SAN. It looks like you are using AD for auth - my advice is that it's not required for EAP-TLS.

View solution in original post

Arne Bier · ‎05-14-2024

Hi @joandwifi

Great use of screenshots to help us understand the setup! I am wondering why you're using PEAP-EAP-TLS and not straight up EAP-TLS? In the Windows IEEE 802.1X configuration there is an Authentication option called "Microsoft: Smart Card or other certificate" - that is EAP-TLS. You can then further select Authentication Mode "Computer Authentication".

In the Identity Source Sequence, you don't need to perform an AD lookup to retrieve the username from the certificate - I would select the option to "Use Identity From Certificate Attribute" - that saves time and effort. Depending on how the Computer Certificates are made, the username is either in the Subject CN or in the SAN - you must tell ISE where to look. You still use AD to perform an AD Group Membership lookup with the username that ISE found in the certificate.

As for the Authorization Rules, there is a "Normalised Radius" attribute called "SSID" which I would personally use instead of Called-Station-ID. They both achieve the same thing, but ISE provides you with an abstraction that also makes the config self-documenting and easier to read, IMHO. How you construct your Authorization Rules is open to interpretation - my rule is to create one Policy Set PER SSID - that means, I test the SSID name at the top of the Policy Set condition, and then never need to test it again in the Authorization sections. It's how you'd write efficient computer code (test once, and branch out).

joandwifi · ‎05-14-2024

Hello @Arne Bier

I hope you are well!
Thanks for the quick response.
My client has a validation configuration with a machine, and due to sea limitations, it only works with anyconnect or TEAP configuration. It will not implement TEAP, so I am simulating authentication with PEAP EAP-TLS, as it would be the fastest way to validate the machine.
I did it and it worked

I saw your recommendation and I'm studying how to simulate it here too, but here are the images from my laboratory.

Is my configuration too non-standard?

Arne Bier · ‎05-14-2024

It's not so much a "non-standard" as a question of why don't you use standard EAP-TLS, instead of PEAP-EAP-TLS? Even AnyConnect will support EAP-TLS. But regardless of that, if it works for you then that's cool. I don't know if EAP-PEAP will present an issue for you in Windows 11, because Microsoft are trying to enforce things like Credential Guard - and when EAP-PEAP MSCHAPv2 is used, then it will fail when Credential Guard is used - the supplicant will have no access to the user credentials for MSCHAPv2.

And the other point was that when you are performing Authentication, you do not need to Authenticate against AD. It's enough to authenticate against the certificate, and then extract the username from Subject or SAN. It looks like you are using AD for auth - my advice is that it's not required for EAP-TLS.

joandwifi · ‎05-14-2024

The TAC recommended both Anyconnect and the TEAP configuration, but my client, being "global", said it would be impractical. That's why they are studying PEAP EAP-TLS.

I will follow your guidelines and study the behavior in W11. Furthermore, I'm going to try to do a lab with the W11 image to try to understand something.

In any case, thank you very much for your attention, I will study the topic a little more.