Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
0
Helpful
4
Replies

ISE - TEAP - MS-CHAPv2

YC2
Level 1
Level 1

‎11-18-2022 09:51 AM

We currently have ISE 3.0 Patch 6 with AD integration. We have machine and user auth setup using PEAP & MS-CHAPv2 and all is well. I would like to move to TEAP so I can chain machine and user auth in one to be able to enforce policies to deny access to non-domain machines.

 

I've seen several examples and documents on how to set this up but they are all certificate based. Can we do this without endpoint certificates? I thought I read one reference that says it's possible but I haven't seen any working examples. Can someone indeed confirm this is possible and provide examples/instructions of this being done?

0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎11-18-2022 10:06 AM

@YC2 yes you can use MSCHAPv2 for Computer and/or User authentication, it's just drop-down box to select the primary and secondary EAP method to use when configuring the supplicant. You'd obviously need to configure ISE to use TEAP as an allowed protocol.

 

0 Helpful

YC2
Level 1
Level 1
In response to Rob Ingram

‎11-18-2022 10:54 AM

@Rob Ingram Thanks for confirming. I guess I was just worried about ISE supporting that particular mix since I didn't see any practical examples of it. Would the policies still look like the certificate based ones using the Network Access · EapChainingResult attribute, or the PEAP policies, or some kind of mix of the two?

 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to YC2

‎11-18-2022 10:59 AM

@YC2 the authorisation policies on ISE would at a minimum require the condition EapchainingResult = x, obviously the computer and user would need to be authentiated using MSCHAPv2 against AD.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎11-20-2022 06:40 PM

@YC2 , keep in mind that Windows Credential Guard can cause issues with the use of MSCHAPv2 regardless of what outer method is used (PEAP, TEAP, etc). If you have computers that have CG enabled by the domain policy, you may need to disable this Windows security feature (and accept the risk of doing so) to use TEAP(MSCHAPv2).

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-considerations

 

0 Helpful
Customers Also Viewed These Support Documents