EAP-TEAP with EAP-TLS for user+machine, Windows 11 first login

jthurston · ‎02-12-2025

Hello, does anyone have any advice on how to resolve this issue? The problem is the first time a user signs into a workstation they do not yet have their certificate from our CA which does provide a user cert automatically, but not before the Windows 11 authentication supplicant runs and fails user auth.

We currently use EAP-TEAP with MSCHAPv2 + EAP-TLS which works very well, but Microsoft is now enabling credential guard by default and as the recommended setting, which makes MSCHAPv2 a nonstarter.

I found a way to restart the Windows authentication supplicant using netsh, but this evidently causes other issues with SCCM.
Using netsh automatically at Windows login within a .bat file works very well if there is a user physically at the workstation.
When ITOPS uses SCCM to remote into a workstation however the system returns to the lock screen immediately after netsh runs.

If anyone knows a better way to do this I would be very interested.

Arne Bier · ‎02-12-2025

Why is user-based network authentication important to you? i.e. can/will/should more than one user be able to log into the workstation with their own cred, and then be treated differently on the network (e.g. different VLAN or ACL) ?

In most cases, machine authentication works just great, when there is no need to further differentiate the network access on a per-user level. Users can log into the PC and the PC remains authorized based on the machine certificate (EAP-TLS).

Have you run into scenarios where EAP chaining is required to solve a problem you're experiencing? I don't know if the PC waking up from sleep mode is still an issue with only machine auth enabled. Or, the scenario of switching from wired to wireless and vice versa - the PC can get confused and then EAP chaining gets us out of trouble. Maybe I am just lucky but I don't hear much about these problems.

jthurston · ‎08-29-2025

Don't focus on the end result of "user authenticated" - it's not a matter of why we do it. It's a problem of we no longer CAN do it because of this change to Credential Guard.

Look at it this way; we are a very public/open facility, it's health care. Random people are all over the place.
Anyone can walk in and plug something into the network.

So we secure our network with 802.1x EAP-TEAP [Machine + User] authentication.
In our opinion it is not sufficient to say "the machine authenticated so it must be ok".

It is also often a matter of not just what+who but where they are located.
If they are connecting to a network port for a conference room which is not in a secure area, their laptop may be provided internet access so they have email etc, but nothing sensitive but also at the same time not on the Guest network.
Someone else plugging in, say an outside guest in the same conference room might plug in for whatever reason and they would be unable to authenticate which results in Guest access.

Unfortunately because of the issue with first/initial sign-on, this disrupts that workflow. We have no users literally every day and every time they go to a workstation they have not signed into before they have limited network access, must sign out and then sign back in.

Greg Gibbs · ‎02-12-2025

The best option is likely using the 'User failed and computer succeeded' EAP Chaining result to permit access based on the initial Computer certificate authentication.

https://community.cisco.com/t5/network-access-control/eap-teap-first-time-user-login-chicken-amp-egg-scenario/td-p/4475351

jthurston · ‎08-29-2025

Requiring users to sign out and then sign back in is a horrible solution. We have new users every day, sometimes they are here for only a month or two. I suppose for now our best solution is for a creatively written login script to decide if it needs to run or not and reset networking is the best solution until Microsoft or someone else decides to fix it.

In the Microsoft supplicant there is a "delay" option but it is definitely broken last time I looked at it.

Marc Aemmer · ‎08-29-2025

Same problem here. Until now, we used EAP-TLS with machine authentication. But we have a use case where we need to do a user-based network authentication. The machines of the it-staff are getting a more privileged SGT-Tag than other machines. We do this by using the machine-name. This is not safe, because everyone (also not it-staff) using one of these machines would get this privileged SGT-Tag. By using TEAP with user-based authentication, we would be able to differentiate the SGT-Tag on user-basis.