10-24-2023 06:46 AM
Hello!
Currently we are designing a brand new deployment of ISE 3.2 with windows native dot1x client.
My questions is: Is it possible to use TEAP as an outer method and EAP-TLS(cert based) for computers and MS-CHAPv2 for users as inner method?
I have read in a forum that the windows native client does not support multiple inner methods, only one.
And we dont want to you EAP-TLS for user authentication. The goal is to use the AD as a single point of truth regarding the users.
Another question is: If we use EAP-TLS - certificate based - machine auth, is it mandatory to configure a Certificate Authentication Profile?
Another question is: If we use EAP-TLS - certificate based - machine auth, does the machine object need to exist in the AD?
Thank you.
Solved! Go to Solution.
11-07-2023 06:21 AM
You will need 2 separate Authentication Rules in your ISE Policy Set - one for each EAP inner method. The reason is that EAP-TLS will need to be associated with a Certificate Authentication Profile (CAP) - the default Preloaded_Certificate_Profile should work - while your MS-CHAPv2 auth will need to be associated with an Identity Store (Internal, AD, etc.) or sequence.
You may combine the Certificate Profile and Identity Store(s) into a single Identity Source Sequence but depending on how many other authentication rules are in your policy set, it may become a lot of extra processing for each authentication. I prefer to see each auth by protocol unless they are all the same protocol and it's more of a convenience to use an ordered set of Identity Stores with the same protocol (MS-CHAPv2 for AD1 then AD2 then Internal Users, etc.)
For an authorization rule example, see ISE Authentication and Authorization Policy Reference > TEAP-Chaining with Tunneled EAP (TEAP)
10-24-2023 06:49 AM
@mtar yes you can use TEAP, with certificates for machine authentication and MSCHAPv2 for user authentication.
10-24-2023 07:42 AM
Thank you!
In that case how would my authentication policy would look like?
One line is enough to handle the two kind of protocols with the proper Server Sequence? Iike here:
I mean, I don't have to create a separate rule for the user and the machine auth?
Thanks
10-24-2023 07:47 AM
@mtar you may wish to have 2 rules in the authentication policy, one for EAP-TLS which uses a certificate authentication profile (CAP) for authentication and lookups (if required) and another for MSCHAPv2 which authenticates against AD.
10-24-2023 07:51 AM
If I understand correctly, the above showed "one rule" design is working too right?
It is it not necessary to have a rule for each kind of auth.
11-07-2023 06:21 AM
You will need 2 separate Authentication Rules in your ISE Policy Set - one for each EAP inner method. The reason is that EAP-TLS will need to be associated with a Certificate Authentication Profile (CAP) - the default Preloaded_Certificate_Profile should work - while your MS-CHAPv2 auth will need to be associated with an Identity Store (Internal, AD, etc.) or sequence.
You may combine the Certificate Profile and Identity Store(s) into a single Identity Source Sequence but depending on how many other authentication rules are in your policy set, it may become a lot of extra processing for each authentication. I prefer to see each auth by protocol unless they are all the same protocol and it's more of a convenience to use an ordered set of Identity Stores with the same protocol (MS-CHAPv2 for AD1 then AD2 then Internal Users, etc.)
For an authorization rule example, see ISE Authentication and Authorization Policy Reference > TEAP-Chaining with Tunneled EAP (TEAP)
11-10-2023 02:15 AM
That makes sense, thank you very much!
10-17-2024 03:54 AM
What are the TEAP properties settings under client authentication (primary and secondary EAP) of the windows supplicant if machine authentication using TLS and user using MSCHAPv2? Thanks in advance.
10-17-2024 04:12 AM
The primary method refers to the user and the secondary refers to machine, so in your case primary would be configured with MSCHAPv2 and secondary with EAP-TLS.
10-17-2024 06:51 AM
Thank you!
10-17-2024 07:30 AM
You're welcome.
11-07-2023 07:35 AM
It would be best practice not to deploy MS-CHAPv2. Its broken from an encryption prospective and is effectively disabled by Microsoft via Credential Guard (unless you choose to disable). A better option would be to use user and computer certificates within TEAP instead.
11-10-2023 12:31 AM
Using User certificates for user authentication is not an option unfortunatelly
Is there are other secure alternatives to MsChapv2 which you would recommend?
11-15-2023 09:38 AM
Why not? The alternative is TLS based auth or SAML via Captive Portal.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide