Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5640
Views
10
Helpful
2
Replies

Windows 10 TEAP EAP-Chaining with ISE

Go to solution
nathgregory
Level 1
Level 1

‎05-05-2021 10:57 AM

We are just starting to test using TEAP with Windows and Cisco ISE (EAP-Chaining) rather than use the AnyConnect NAM module.

 

We have deployed Workstation Authentication Certificates and are trying to get the machine authentication done via certificate and the user authentication via username/password (MSCHAPV2) - both of which will be Active Directory authenticated.

My main question is that so far the ISE Live Logs show EAP (MSCHAPV2) for both the machine and user auth.

Is using MSCHAPV2 secure enough for machine authentication?

Is it actually the certificate or not?

Or should I be aiming to ensure the machine authentication part is EAP-TLS?

Bit confused about how secure machine auth is with MSCHAPV2.

We have experimented with the settings on Windows but cannot seem to get the cert for machine auth to work?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎05-05-2021 05:09 PM

Certificate-based EAP methods like EAP-TLS are generally considered more secure than password-based methods like PEAP-MSCHAPv2. See this blog for details on two.

Machine auth using EAP-TLS is common, but lots of organisations find user certificate-based user auth too difficult to manage due to certificate enrollment, expiry, etc. TEAP supports using EAP-TLS for machine auth and PEAP-MSCHAPv2, so it's a viable option to mitigate user certificate concerns. It also provides the added benefit of EAP Chaining. I would suggest reviewing the Using TEAP for EAP Chaining document and comparing it to your setup.

It's not very clear in the UI but, in the Client Authentication section of the supplicant the 'Primary EAP method' refers to the User auth state, and the 'Secondary EAP method' refers to the computer auth state.

View solution in original post

2 Replies 2

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎05-05-2021 05:09 PM

Certificate-based EAP methods like EAP-TLS are generally considered more secure than password-based methods like PEAP-MSCHAPv2. See this blog for details on two.

Machine auth using EAP-TLS is common, but lots of organisations find user certificate-based user auth too difficult to manage due to certificate enrollment, expiry, etc. TEAP supports using EAP-TLS for machine auth and PEAP-MSCHAPv2, so it's a viable option to mitigate user certificate concerns. It also provides the added benefit of EAP Chaining. I would suggest reviewing the Using TEAP for EAP Chaining document and comparing it to your setup.

It's not very clear in the UI but, in the Client Authentication section of the supplicant the 'Primary EAP method' refers to the User auth state, and the 'Secondary EAP method' refers to the computer auth state.

Go to solution
nathgregory
Level 1
Level 1
In response to Greg Gibbs

‎05-06-2021 04:20 AM

Thanks that got it working!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents