TEAP (EAP-TLS) – Machine-Only Auth Result in Access Without User Cert

MSN_1 · ‎06-14-2025

We’re using TEAP with EAP-TLS and EAP-Chaining in our ISE deployment for wired network access. The configuration follows this Cisco document:
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

Our authorization policy is similar to the pic below.

The problem was that some users got network access without a valid user certificate. After checking, I found that machine certificate was present, but the valid user certificate was missing. Yet, the user still gained network access. Since TEAP failed user authentication but succeeded in machine authentication, ISE allowed access through the machine-only rule.

Before, we were using TEAP with MSCHAPv2, and with that setup, this issue never happen because of how the authentication process works.

I can tweak the machine-only authorization profile to limit access, but I’d like to know if anyone else has faced this and any suggestions on how to handle it?

Arne Bier · ‎06-15-2025

In your screenshot, you return Permit Access in both cases - that's why a failed user auth has the same result as a successful user auth. What Authorization result do you plan to return in the case where the user auth is (not yet) successful?

MSN_1 · ‎06-18-2025

We keep the 'User Failed + Machine Passed' EAP chaining rule at the end of the authorization policy to allow services like RDP, policy updates, and patching before user login.

What i meant is:

Using MSCHAPv2 --- If user logs in with wrong password, login fails → No access to PC, no chained auth → only machine-only auth remains. This is safe.
Using EAP-TLS --- If user logs in with correct username+password, but bad user certificate, Windows still allows the user to log in. But ISE fails the user auth (bad cert), and falls back to machine-only authorization, because machine cert is valid. So the user gets access to the PC and some network access via machine-only rule.

I can tweak the machine-only authorization profile to limit access, But I would like to know any other suggestions or is this the way I need to handle this?

MHM Cisco World · ‎06-18-2025

Can I ask some q

Did you enable EAP chain in allowed protocol > allow TEAP

MHM

MHM Cisco World · ‎06-18-2025

Did you check

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

MHM

MHM Cisco World · ‎06-18-2025

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

Did you check this

Notice

One authc policy and two authz policy

MHM

Aref Alsouqi · ‎06-19-2025

I think what you are seeing is expected and I think we need to split this in two parts. Part one is when a user uses wrong crednetials. In this case the user doesn't get access to the PC because of the failed authentication against Windows itself or against the AD via ISE.

Part two instead is when certificates authentication is used. The difference in this case is that when a user types in their crednetials correctly they will pass the authentication against Windows, and because the users crednetials would be cached on Windows the login to the PC itself is successful. Now the second bit of this is the certificate authentication against AD via ISE. When it fails ISE will apply the action you have configured on the second authorization rule which is permit access. However, if you have configured Windows with certificate authentication with smartcard for example, a user with a bad certificate won't have access to the PC.

As mentioned by @Arne Bier you should have a different authorization applied to the "Machine authentication" authorization rule restricting accesses to only what is needed for the machine to get an IP, DNS, Windows updates etc as well as to the support team to access the PC remotely.