Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4180
Views
40
Helpful
8
Replies

EAP-TEAP: First time user login/chicken & egg scenario

Go to solution
DanMN
Level 1
Level 1

‎09-28-2021 01:59 AM

Hi

 

Does EAP-TEAP solve the first time user login scenario when using EAP-TLS?

 

So, you image a new Windows PC, it gets the machine certificate and always authenticates fine. Then, a new user is given that device that's authenticated successfully and tries to login. The authentication fails because the User certificate isn't downloaded before network access is taken away.

 

I know you can put an ISE chaining policy with 'user failed, machine successful'. Will the device keep this access when the user auth fails so the certificate can be downloaded? And if the certificate has downloaded, will it attempt another User authentication so that SGTs/ACLs can be applied? Or would they need to log off/have the 'user failed, machine successful' policy force re-authentication?

 

Thanks

2 Accepted Solutions

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎10-17-2021 02:30 PM

From the testing I've done with TEAP-EAP-TLS and the 'user or computer' setting with expired/missing user certs, you can use the 'user failed and machine succeeded' chaining result to provide access when the user cert is not enrolled. After the certificate is enrolled, however, the native supplicant does not automatically trigger another authentication event. I have not tried pushing a short reauth period in that state, but it might be tricky as the cert is enrolled via GPO which uses it's own timers.

You might have a look at what windows logs trigger in this scenario to see if there is a specific event or set of events you could use to force a GPO update and cert enrollment, then force a restart of the Wired AutoConfig service.

View solution in original post

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to x00008037

‎02-10-2022 01:50 PM

This is the AuthZ Policy for my TEAP use case described earlier. I'm just using the top-level Domain Computers and Domain Users, but you could use more specific AD group matches if you prefer.Screen Shot 2022-02-11 at 8.47.37 am.png

View solution in original post

8 Replies 8

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎09-28-2021 05:08 AM

Hi,

Yes, with chaining the user should logout and in to trigger CoA and get new
dacls or wait for reauthenticate timer.

Go to solution
DanMN
Level 1
Level 1
In response to Mohammed al Baqari

‎09-28-2021 05:12 AM

Thank you for clearing that up. It's kind of frustrating that this is the best option we have for this sort of thing at the moment.

 

What alternative is there that would mean the user doesn't need to relogin/have a very short reauthentication timer on Machine only auths? Use MS-CHAPv2 for the User authentication and EAP-TLS for the computer? I don't think MS-CHAPv2 is generally recommended anymore?

Go to solution
Arne Bier
VIP
VIP
In response to DanMN

‎10-14-2021 11:03 PM

Hi @DanMN 

 

As far as I know and have tested, if the native Windows supplicant is set to user or machine auth, and EAP-TLS is used (certificate based auth) then Windows doesn't perform a network authentication when a user logs in at the locked screen. AFAIK this actually only work with EAP-PEAP (AD machine account used at bootup and logoff, and user AD account used at login)

 

I have not yet tried EAP-TEAP but I believe that cert based auth can be used for both user and machine auth.

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎10-17-2021 02:30 PM

From the testing I've done with TEAP-EAP-TLS and the 'user or computer' setting with expired/missing user certs, you can use the 'user failed and machine succeeded' chaining result to provide access when the user cert is not enrolled. After the certificate is enrolled, however, the native supplicant does not automatically trigger another authentication event. I have not tried pushing a short reauth period in that state, but it might be tricky as the cert is enrolled via GPO which uses it's own timers.

You might have a look at what windows logs trigger in this scenario to see if there is a specific event or set of events you could use to force a GPO update and cert enrollment, then force a restart of the Wired AutoConfig service.

Go to solution
x00008037
Level 1
Level 1

‎02-10-2022 01:03 AM

Hey seen this thread. I would be interested to see your Authorization policy that allows a certain user in a AD group to get an SGT and to get authorized while using eap-chaining and teap.

 

Im trying to figure out the best Autz policy to create to authorize a user and push and SGT for that particular AD group.

 

any help appreciated.

 

 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to x00008037

‎02-10-2022 01:50 PM

This is the AuthZ Policy for my TEAP use case described earlier. I'm just using the top-level Domain Computers and Domain Users, but you could use more specific AD group matches if you prefer.Screen Shot 2022-02-11 at 8.47.37 am.png

Go to solution
x00008037
Level 1
Level 1
In response to Greg Gibbs

‎02-10-2022 04:57 PM

thanks for that Greg that clears it up. I wasn't sure how particular you could get with the AD groups. As we will be pushing an SGT to a user , based on their AD group. The machine will do cert based authentication 

0 Helpful

Go to solution
nlyubchak@aligntech.com
Level 1
Level 1

‎05-29-2023 02:26 AM

Hello DanMN,

Could you please specify if you find some solution to solve chicken-egg issue for the first user's login?

I am stuck with the same issue and wondering if we have any good/effective solution to manage it...

0 Helpful
Customers Also Viewed These Support Documents