Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13976
Views
20
Helpful
2
Replies

Understanding TEAP

Go to solution
REJR77
Level 1
Level 1

‎06-02-2021 10:01 AM

Hi Folks,

Managing machine authentication AND user authentication with EAP-TLS is a headache.

So I am considering TEAP (from the native windows supplicant), which may solve my headache if I correctly understand how it works.

I see that we need at least Windows 10 2004 and ISE 2.7.

Would it be possible to authenticate the machine with its certificate and the user with MS-CHAPv2 through TEAP?

Machine Cert would say "Ok, my computer is corporate", and User auth with MS-CHAPv2 would allow a more easy deployment without dealing with User certificate.

Thanks 

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-02-2021 11:22 AM

Would it be possible to authenticate the machine with its certificate and the user with MS-CHAPv2 through TEAP?

-Yes.  TEAP is the non-proprietary industry standard that will allow you to utilize eap-chaining (Allows user and machine authentication within one Radius/EAP session).  Essentially allowing you to utilize the native supplicant on Windows machines instead of using EAP-FAST with the AnyConnect NAM module.

These two links should definitely guide you through the process of trial and error testing:

Using TEAP for EAP Chaining – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

Understanding EAP-FAST and Chaining implementations on AnyConnect NAM and ISE - Cisco (good for eap-chaining understanding)

HTH!

 

View solution in original post

2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-02-2021 11:22 AM

Would it be possible to authenticate the machine with its certificate and the user with MS-CHAPv2 through TEAP?

-Yes.  TEAP is the non-proprietary industry standard that will allow you to utilize eap-chaining (Allows user and machine authentication within one Radius/EAP session).  Essentially allowing you to utilize the native supplicant on Windows machines instead of using EAP-FAST with the AnyConnect NAM module.

These two links should definitely guide you through the process of trial and error testing:

Using TEAP for EAP Chaining – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

Understanding EAP-FAST and Chaining implementations on AnyConnect NAM and ISE - Cisco (good for eap-chaining understanding)

HTH!

 

Customers Also Viewed These Support Documents