Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1126
Views
3
Helpful
13
Replies

Cisco 3.2 - TEAP ( EAP-TLS for machine and MS-CHAPv2 for users )

Go to solution
mtar
Level 1
Level 1

‎10-24-2023 06:46 AM

Hello!

Currently we are designing a brand new deployment of ISE 3.2 with windows native dot1x client. 

My questions is: Is it possible to use TEAP as an outer method and EAP-TLS(cert based) for computers and MS-CHAPv2 for users as inner method?

I have read in a forum that the windows native client does not support multiple inner methods, only one.

And we dont want to you EAP-TLS for user authentication. The goal is to use the AD as a single point of truth regarding the users.

 

Another question is: If we use EAP-TLS - certificate based - machine auth, is it mandatory to configure a Certificate Authentication Profile?

Another question is: If we use EAP-TLS - certificate based - machine auth, does the machine object need to exist in the AD?

Thank you.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-07-2023 06:21 AM

You will need 2 separate Authentication Rules in your ISE Policy Set - one for each EAP inner method. The reason is that EAP-TLS will need to be associated with a Certificate Authentication Profile (CAP) - the default Preloaded_Certificate_Profile should work - while your MS-CHAPv2 auth will need to be associated with an Identity Store (Internal, AD, etc.) or sequence.

You may combine the Certificate Profile and Identity Store(s) into a single Identity Source Sequence but depending on how many other authentication rules are in your policy set, it may become a lot of extra processing for each authentication. I prefer to see each auth by protocol unless they are all the same protocol and it's more of a convenience to use an ordered set of Identity Stores with the same protocol (MS-CHAPv2 for AD1 then AD2 then Internal Users, etc.)

For an authorization rule example, see ISE Authentication and Authorization Policy Reference > TEAP-Chaining with Tunneled EAP (TEAP)

View solution in original post

13 Replies 13

Go to solution
Rob Ingram
VIP
VIP

‎10-24-2023 06:49 AM

@mtar yes you can use TEAP, with certificates for machine authentication and MSCHAPv2 for user authentication.

0 Helpful

Go to solution
mtar
Level 1
Level 1
In response to Rob Ingram

‎10-24-2023 07:42 AM

Thank you!

In that case how would my authentication policy would look like?

One line is enough to handle the two kind of protocols with the proper Server Sequence? Iike here:

mtar_0-1698158500213.png

I mean, I don't have to create a separate rule for the user and the machine auth?

Thanks

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mtar

‎10-24-2023 07:47 AM

@mtar you may wish to have 2 rules in the authentication policy, one for EAP-TLS which uses a certificate authentication profile (CAP) for authentication and lookups (if required) and another for MSCHAPv2 which authenticates against AD.

0 Helpful

Go to solution
mtar
Level 1
Level 1
In response to Rob Ingram

‎10-24-2023 07:51 AM

If I understand correctly, the above showed "one rule" design is working too right?

It is it not necessary to have a rule for each kind of auth.

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-07-2023 06:21 AM

You will need 2 separate Authentication Rules in your ISE Policy Set - one for each EAP inner method. The reason is that EAP-TLS will need to be associated with a Certificate Authentication Profile (CAP) - the default Preloaded_Certificate_Profile should work - while your MS-CHAPv2 auth will need to be associated with an Identity Store (Internal, AD, etc.) or sequence.

You may combine the Certificate Profile and Identity Store(s) into a single Identity Source Sequence but depending on how many other authentication rules are in your policy set, it may become a lot of extra processing for each authentication. I prefer to see each auth by protocol unless they are all the same protocol and it's more of a convenience to use an ordered set of Identity Stores with the same protocol (MS-CHAPv2 for AD1 then AD2 then Internal Users, etc.)

For an authorization rule example, see ISE Authentication and Authorization Policy Reference > TEAP-Chaining with Tunneled EAP (TEAP)

Go to solution
mtar
Level 1
Level 1
In response to thomas

‎11-10-2023 02:15 AM

That makes sense, thank you very much!

0 Helpful

Go to solution
aputra
Level 1
Level 1
In response to thomas

‎10-17-2024 03:54 AM

What are the TEAP properties settings under client authentication (primary and secondary EAP) of the windows supplicant if machine authentication using TLS and user using MSCHAPv2? Thanks in advance. 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to aputra

‎10-17-2024 04:12 AM

The primary method refers to the user and the secondary refers to machine, so in your case primary would be configured with MSCHAPv2 and secondary with EAP-TLS.

Go to solution
aputra
Level 1
Level 1
In response to Aref Alsouqi

‎10-17-2024 06:51 AM

Thank you!

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to aputra

‎10-17-2024 07:30 AM

You're welcome.

0 Helpful

Go to solution
ahollifield
VIP
VIP

‎11-07-2023 07:35 AM

It would be best practice not to deploy MS-CHAPv2.  Its broken from an encryption prospective and is effectively disabled by Microsoft via Credential Guard (unless you choose to disable).  A better option would be to use user and computer certificates within TEAP instead.

Go to solution
mtar
Level 1
Level 1

‎11-10-2023 12:31 AM

Using User certificates for user authentication is not an option unfortunatelly  

Is there are other secure alternatives to MsChapv2 which you would recommend?

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to mtar

‎11-15-2023 09:38 AM

Why not?  The alternative is TLS based auth or SAML via Captive Portal.

0 Helpful
Customers Also Viewed These Support Documents