cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5715
Views
40
Helpful
8
Replies

EAP-TEAP: First time user login/chicken & egg scenario

DanMN
Level 1
Level 1

Hi

 

Does EAP-TEAP solve the first time user login scenario when using EAP-TLS?

 

So, you image a new Windows PC, it gets the machine certificate and always authenticates fine. Then, a new user is given that device that's authenticated successfully and tries to login. The authentication fails because the User certificate isn't downloaded before network access is taken away.

 

I know you can put an ISE chaining policy with 'user failed, machine successful'. Will the device keep this access when the user auth fails so the certificate can be downloaded? And if the certificate has downloaded, will it attempt another User authentication so that SGTs/ACLs can be applied? Or would they need to log off/have the 'user failed, machine successful' policy force re-authentication?

 

Thanks

2 Accepted Solutions

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

From the testing I've done with TEAP-EAP-TLS and the 'user or computer' setting with expired/missing user certs, you can use the 'user failed and machine succeeded' chaining result to provide access when the user cert is not enrolled. After the certificate is enrolled, however, the native supplicant does not automatically trigger another authentication event. I have not tried pushing a short reauth period in that state, but it might be tricky as the cert is enrolled via GPO which uses it's own timers.

You might have a look at what windows logs trigger in this scenario to see if there is a specific event or set of events you could use to force a GPO update and cert enrollment, then force a restart of the Wired AutoConfig service.

View solution in original post

This is the AuthZ Policy for my TEAP use case described earlier. I'm just using the top-level Domain Computers and Domain Users, but you could use more specific AD group matches if you prefer.Screen Shot 2022-02-11 at 8.47.37 am.png

View solution in original post

8 Replies 8

Hi,

Yes, with chaining the user should logout and in to trigger CoA and get new
dacls or wait for reauthenticate timer.

Thank you for clearing that up. It's kind of frustrating that this is the best option we have for this sort of thing at the moment.

 

What alternative is there that would mean the user doesn't need to relogin/have a very short reauthentication timer on Machine only auths? Use MS-CHAPv2 for the User authentication and EAP-TLS for the computer? I don't think MS-CHAPv2 is generally recommended anymore?

Hi @DanMN 

 

As far as I know and have tested, if the native Windows supplicant is set to user or machine auth, and EAP-TLS is used (certificate based auth) then Windows doesn't perform a network authentication when a user logs in at the locked screen. AFAIK this actually only work with EAP-PEAP (AD machine account used at bootup and logoff, and user AD account used at login)

 

I have not yet tried EAP-TEAP but I believe that cert based auth can be used for both user and machine auth.

Greg Gibbs
Cisco Employee
Cisco Employee

From the testing I've done with TEAP-EAP-TLS and the 'user or computer' setting with expired/missing user certs, you can use the 'user failed and machine succeeded' chaining result to provide access when the user cert is not enrolled. After the certificate is enrolled, however, the native supplicant does not automatically trigger another authentication event. I have not tried pushing a short reauth period in that state, but it might be tricky as the cert is enrolled via GPO which uses it's own timers.

You might have a look at what windows logs trigger in this scenario to see if there is a specific event or set of events you could use to force a GPO update and cert enrollment, then force a restart of the Wired AutoConfig service.

x00008037
Level 1
Level 1

Hey seen this thread. I would be interested to see your Authorization policy that allows a certain user in a AD group to get an SGT and to get authorized while using eap-chaining and teap.

 

Im trying to figure out the best Autz policy to create to authorize a user and push and SGT for that particular AD group.

 

any help appreciated.

 

 

This is the AuthZ Policy for my TEAP use case described earlier. I'm just using the top-level Domain Computers and Domain Users, but you could use more specific AD group matches if you prefer.Screen Shot 2022-02-11 at 8.47.37 am.png

thanks for that Greg that clears it up. I wasn't sure how particular you could get with the AD groups. As we will be pushing an SGT to a user , based on their AD group. The machine will do cert based authentication 

Hello DanMN,

Could you please specify if you find some solution to solve chicken-egg issue for the first user's login?

I am stuck with the same issue and wondering if we have any good/effective solution to manage it...