Solved: TEAP - Always using Username/Password

ryanbess · ‎02-21-2024

Hello,

I'm labbing up some 802.1x authentication scenarios. We need to support both piv/cert auth and username/passwords (user forgets their card etc). What I'm finding is whenever in the TEAP config i give it the option to use Secured Password, it always uses it even though it's the second choice. Whenever i set them both to Smart Card or other certificate, understandably it uses Smartcard or other certificate.

The expected behavior i'm looking for is if the client has a cert / piv etc, that identity source would be attempted first. Only if the endpoint / user doesn't have a cert would it then fall back to username/password.

In the other settings not shown i have the root cert checked so it's validated.

Is what i'm currently seeing the expected behavior or is there something wrong.

Arne Bier · ‎02-21-2024

someone had a discussion about this a while back - the Windows Supplicant is a bit weird - IIRC, Primary Authentication actually refers to the User Auth, and Secondary Authentication refers to the Machine Auth. And it should be EAP-TLS for both. Windows and Credential Guard will be a problem (hence why PEAP my not work, and can't be a fallback).

View solution in original post

ahollifield · ‎02-21-2024

Credential guard enabled? Why use passwords at all? Why not always certificates?

I also don't think it works like this. The second auth type is the "second identity" with TEAP. Its not a try certificate first then try username/password.

ryanbess · ‎02-21-2024

i would love to require staff to always use PIV auth but folks lose their cards, cards break, etc.....

Arne Bier · ‎02-21-2024

someone had a discussion about this a while back - the Windows Supplicant is a bit weird - IIRC, Primary Authentication actually refers to the User Auth, and Secondary Authentication refers to the Machine Auth. And it should be EAP-TLS for both. Windows and Credential Guard will be a problem (hence why PEAP my not work, and can't be a fallback).

ryanbess · ‎02-21-2024

So what do people do where the computer will have a cert from an enterprise PKI. We can use that cert to validate the computer but on the user side they may or may not have a piv card for reasons above and think like computers in some lab where you can't bring your piv card with you but you need to username/password onto them. As best i can tell, the supplicate on a windows box can only be configured for one or the other....that is either use cert for both the user/computer or use username/password.

ahollifield · ‎02-21-2024

You have multiple authz scenarios for this use-case, computer auth only, computer and user auth succeeded, computer auth failed, computer auth succeeded and user auth failed, etc

ryanbess · ‎02-21-2024

This is where i'm getting hung. For windows computers we can pretty much for certain say it will have a cert. Now multiple types of users could walk up to this same computer. Some may username/password auth and others may PIV auth. How would you configure the windows native supplicant?

ahollifield · ‎02-21-2024

In this scenario I don’t think you can with TEAP. In the “non-TEAP” flows you can configure User or Computer authentication but it’s a single EAP transaction, no chaining here.

ryanbess · ‎02-21-2024

Yeah throw TEAP out the window with what i now understand. So now we go down the EAP side and you have 2 options. You either configure it for "Secured Password (EAP-MSCHAP v2)" OR "Smartcard Card or other Certificate". Given the same scenario mentioned previously how would that play out? Lets say we set it to Secured Password but the user uses their PIV card....