cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

TEAP for Windows 10 using Group Policy and ISE TEAP Configuration

5302
Views
45
Helpful
14
Comments

With Windows 10 build 2004 and ISE 2.7 Patch 2 TEAP (EAP Chaining) is now supported. It seems currently TEAP can only be configured manually for non-domain joined workstations. This is due to the TEAP option not available under the group policy configuration, for domain managed workstations. However I was able to push a group policy that enables TEAP, by exporting a group policy, changing some XML content related to the Windows Supplicant TEAP configuration, then importing again. 

The process below outlines how to configure a TEAP group policy and push out to domain joined machines. The following is required:

  • All machines updated to Windows 10 Build 2004
  • ISE upgraded to 2.7 Patch 2
  • Domain joined machine (Used to generate XML config) that has the following:
    • Wired autoconfig service enabled
    • Network Adapter authentication tab configurable
    • Root CA certificate for trust installed (Root CA that signed the RADIUS certificate ISE will present)
  • Domain joined machine or group of machines to push group policy to
  • Domain controller (Example was on Server 2016 Standard with latest updates installed (2020-07 Cumulative Update (KB4565511) and 2020-07 Servicing Stack Update (KB4565912))

 

Generate XML File

1. Login to domain joined machine that will be used to generated the XML and ensure the defined options above have been enabled/imported

2. Under the Authentication tab on the Network Adapter properties set the Choose a network authentication drop down to Microsoft EAP-TEAP.

0.png

3.Click the Settings button next to the drop down
• Leave Enable identity privacy enabled with anonymous as the identity.
• Select the check mark next to the root CA server(s) under Trusted Root Certification Authorities that are used to sign the certificate for EAP authentication on the ISE PSN
• Under Client Authentication, set both the primary and secondary EAP method for authentication to Microsoft: Smart Card or other certificate

1.png

 

 

 

 

 

 

 

 

 

4.Under each EAP method drop down, click the Configure button.
• Use a certificate on this computer is the default setting.
• Leave Verify the server’s identity by validating the certificate enabled.
• Connect to these servers is optional (just like above).
• Select the check mark next to the root CA server(s) under Trusted Root Certification Authorities that are used to sign the certificate for EAP authentication on the ISE PSN.
• Click OK.
• Repeat for secondary method.

3.png

 

 

 

 

 

 

 

 

 

5. Return to Authentication tab and click the Additional Settings button.

4.png

 

 

 

 

 

 

 

 

 

• Enable Specify authentication mode
• Set the drop down to the appropriate setting. I am using User or computer authentication so that both are authenticated (computer on boot to login screen, computer and user when user logs in).
• Click OK.
• Click OK to exit the LAN connection properties.

5.png

 

 

 

 

 

 

 

 

 

6. Open a command prompt as administrator and execute the following commands:

netsh lan show profiles - Note down the interface name

netsh lan export profile folder=PATH_TO_FOLDER interface="INTERFACE_NAME"6.png

 

 

 

 

 

 

 

 

 

 

An XML file will be generated with the required TEAP configuration. The interface name will be the name of the file in the location path set.

7. Open up the XML file and copy everything within <EAPConfig> ..... </EAPConfig> Store in a text file to be made available later7.png

 

 

 

 

 

 

 

Create Group Policy to push TEAP configuration to Workstations

***To note the group policy is applied to all machines, you can configure this policy to only apply to certain groups.

1.Login to Domain Controller and open up Group Policy Management8.png

 

 

 

 

 

 

2. Right click on the domain and select Create a GPO in this domain, and link it here

9.png

 

 

 

 

 

 

 

 

 

10.png

 

 

 

 

Name the new GPO

3. Right click on the newly created Policy and click Edit, navigate to:

  • Computer Configuration -> Policies -> Windows Settings ->Security Settings -> System Services
  • Double Click Wired AutoConfig service, select the define this policy setting and set the service startup mode mode to Automatic11.png

 

 

 

 

 

4. Navigate to:

  • Computer Configuration -> Policies -> Windows Settings ->Security Settings -> Wired Network (IEEE 802.3) Policies
  • Right click in right area and select Create A New Wired Network Policy for Windows Vista and Later Releases12.png

 

5. Name the Policy and move to Security tab and select the following (This is dummy configuration)

  • Select tick box Enable use of IEEE 802.11X authentication for network access
  • Select PEAP as the network authentication method
  • Select User or Computer authentication as the authentication mode

13.png

 

 

 

 

 

 

 

 

 

 

 

14.png

 

 

 

 

 

 

 

 

 

 

 

 

6. Right click on the Group Policy created and select Back Up...

15.png

 

 

 

 

 

 

 

 

 

Select the location to save the backup and click Backup

7. Navigate to the folder where the backup was saved and open up the Backup.xml file in notepad.16.png

 

 

 

8. Replace the <EAPConfig> ... </EAPConfig> section with the generated EAPConfig created and saved previously:17.png

Existing18.png

Replaced

Ensure you save the notepad file

9. Right click on the Group Policy again and select Import Settings

19.png

 

 

 

  • Don't worry about backing up the policy this has already been completed, click next -> next
  • Select the location where the backup was created previously and contains the edited Backup.xml file
  • Select Next -> Finish -> OK
  • You will see the GPO status is Succeeded

10. Navigate back to the Wired Network (IEEE 802.3) Policies and edit the Policy that was created. You will see that it will not display the TEAP configuration because it is unsupported but will display some similar to this:20.png

 

 

 

Confirming Domain Joined Workstation has received TEAP configuration:

1. Login to test workstation that has a user & machine certificate and has been enabled to receive the group policy. Open up a cmd and execute the following command:

gpupdate /force - This will force a group policy update

gpupdate /scope /computer /v - This confirms the group policy has been applied, look under Applied Group Policy Objects:21.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2. Navigate to the wired network adapter under Authentication and you will see Microsoft: EAP-TEAP is selected as the authentication method. If you navigate around the rest of the Authentication settings will match what was created via the XML.eaps.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

22.png23.png

 

Configure ISE for TEAP

1. Navigate to Policy -> Policy Elements -> Results -> Authentication -> Allowed Protocols, Select the Allowed Protocols service that is used in your existing Policy. 

  • Ensure Allow TEAP is ticked, and Enable EAP Chaining tick box is also selected
  • 24.png

 

2. Navigate to your wired dot1x policy and ensure their is an EAP-TLS authentication Policy

25.png

3. Create two authorization policies. The first rule will be the machine authentication. The condition will check if the machine is authenticated but the user is not. The second rule will be the user and machine authentication. The condition for this rule will check if the user and the machine has successfully authenticated. Both rules use the Network Access · EapChainingResult attribute.26.png

 

Comments
hslai
Cisco Employee

Many thanks for sharing. The other option to add/edit TEAP properites is to install RSAT on a domain computer with Windows 10 May 2020 Update, login as a domain admin user, and then use gpmc.msc (Group Policy Management) and the editor there.Screen Shot 2020-08-26 at 9.30.09 AM.png

james.howard
Beginner

@hslai No problems, I hope it helps.

 

With the other option would that mean you have to make the change on each domain computer?

hslai
Cisco Employee

@james.howard: This is just another way to manage GPOs in AD so the GPOs will deploy the same way as if we edit them directly on a domain controller. The new GUI elements only available through RSAT for the latest Windows 10 client OS. I did this in our lab to manage the AD on a Windows core server, from the 20H1 insider preview, but it can also manage the previous Windows server releases. The drop-down menus for the inner EAP method selection might not work still and we have been working around that by using the up and the down arrow keys from the keyboard.

Arne Bier
VIP Advisor

What's been the general feeing about EAP-TEAP for Windows 10 clients? Does it solve all the use case issues that were previously only solved with AnyConnect NAM?

e.g. can I sleep/suspend the machine while on the wired network, and then resume while on wired and be authenticated?

Can I move from wired to wireless while user is logged in, and then do various permutations of sleep, and then resume on wired network etc. Basically, if the machine comes out of sleep mode, whichever medium is available, will EAP-TEAP always perform machine AND user authentication (because coming out of sleep mode means that the user is at the login prompt) ?

dal
Participant
Participant

Excellent.

Does EAP-TEAP with certificates on both authentication methods (TEAP (EAP-TLS)) support Password change?

We use EAP-TLS for 802.1x, and that does NOT support password change against Active Directory, and that causes a heap of trouble

giovanni.augusto
Beginner

@hslai and @james.howard 

Thank you for the information, I currently have Wireless deployed with EAP-Chaining and NAM and I am setting up a lab with a Windows 10 Pro 2004 build to test a possible transition to TEAP, just to my surprise I can find TEAP authentication options for the WIRED lan but I cannot find it for the WIRELESS interface for testing manually the settings...does it happens to you too? how did you solve it in case?

 

Thanks a lot

 

EDIT:

I found the solution: 

Actually the problem is that Microsoft is still divided between their new UI introduced with Windows 10 and the older UI that came with Vista/7/8.

to find EAP-TEAP settings for a manual configuration you need to Open Network & Internet settings

 
 
 

Screenshot 2020-12-08 200105.png

 

Select Network and sharing center

Screenshot 2020-12-08 200216.png

 

Set up a new connection or network

 

Screenshot 2020-12-08 200355.png

And after, selecting to connect to a wireless network it offers also TEAP security options with WPA2-Enterprise

 

hslai
Cisco Employee

giovanni.augusto

You are correct it not straight forward with the new UI. See my screen capture as one way to do it.

hslai
Cisco Employee

@dal 

Certificates do not use passwords so it's not clear how EAP-TLS affecting password changes.

giovanni.augusto
Beginner

@hslai @james.howard 

Thank you both!

 

Did you have a chance to verify if now is possible to configure TEAP via GPOs? if yes on which Windows Server version? 2012 R2 or 2016 or ?

 

Thank you

hslai
Cisco Employee

@giovanni.augusto

Yes, we can enforce TEAP via GPOs. James and I provided two different ways to configure them as shown above and both are valid.

giovanni.augusto
Beginner

Thank you @hslai 

 

I have tried your method and works OK and I can configure the GPO object but  I cannot see the settings from either a Windows 2012 R2 or a Windows 2016, do you know how this could be fixed?

 

Also I have tried TEAP with both ISE 2.7 p2 and ISE 3.0 (no patch) with the following scheme:

 

Primary authentication: MS-CHAPv2 in single sign on

Secondary Authentication : certificate

 

both ISE are joined to the same domain and same server

workstation is a windows 10 build 2004 latest patch 

 

problem is that with ISE 2.7 p2 the AD groups are not pulled and the authorization fails all the time

with ISE 3.0 instead everything works fine.

 

Q1: Is it something that will be fixed any soon on ISE 2.7 or ISE3.x is the way to go ?

A1: ISE 2.7 Patch #3 seems to work fine with TEAP and AD groups, just tested it (02/03/2021)

 

My understanding is that mostly the differences are on the licensing scheme on the new ISE3.x from the ISE 2.4 version I run now in production,

Q2: is there any other substantial difference on operational features that would be worth considering and that would break during an update from 2.4 to 3.x ?

 

Additionally I ran some tests on TEAP and I can confirm that

primary authentication is the user authentication

secondary authentication is the machine authentication

 

I don't remember reading this anywhere so I thought it was worth mentioning it here.

 

Thanks!

giovanni.augusto
Beginner

Hi again Everyone,

 

I am still looking for settings for TEAP into the Group Policy Management tool in Windows 2016 (or 2012) and even applying the latest Windows 10 ADMX I don't have these settings, is there something I am missing or do you still have the same behavior ?

 

Thanks

tfriedrich4733
Beginner

@james.howard & @hslai 

 

I was able to follow your steps for wired no problem.  Yay!

 

Have you been able to do this with EAP-TEAP for Wireless with GPO?  I have EAP-TEAP for Wireless functioning (manually configed) on a laptop, but for GPO am stuck.  

 

However I tried to do this step 8, but tweaked for WiFi GPO, and when I get to step 9 and reimport, my WiFi SSID get erased in the GPO view. My laptop receives the GPO, but no actual WiFi profiles once I paste in the manually working <EAPConfig> ... </EAPConfig> section.

 

8. Replace the <EAPConfig> ... </EAPConfig> section with the generated EAPConfig created and saved previously:

 

Any insight is appreciated!

hslai
Cisco Employee

giovanni.augusto and tfriedrich4733, I would suggest to use RSAT instead. When I tried it with 20H1 server core, the gpedit there did not show the TEAP options. Editing the XML files need a good understanding how the elements are structured and referenced.

Below is a screenshot in our lab guide in April 2020:

Screen Shot 2021-03-26 at 12.50.53 PM.png

Content for Community-Ad