Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
256
Views
0
Helpful
0
Comments

Adding Supportability of EAP-TEAP to Windows Server 2019 Group Policy

rezaalikhani
Level 4
Level 4

‎05-30-2024 07:11 AM - edited ‎05-31-2024 10:52 PM

 

Overview

With Windows 10 build 2004 and ISE 2.7 Patch 2, EAP-TEAP is now supported. However, if you are using Microsoft Active Directory based on Windows Server 2019 and below operating systems, EAP-TEAP can only be configured manually for non-domain joined workstations. This is because the "TEAP" option is not available under the group policy configuration for domain-managed workstations.

In this document, I will introduce a workaround to resolve this limitation. However, if you upgrade your domain controllers' operating system to Windows Server 2022, you won't need this workaround, as this version supports configuring EAP-TEAP through Group Policy natively.

This article is based on "TEAP for Windows 10 using Group Policy and ISE TEAP Configuration" with the following additions and modifications:

  • More clarification to the steps involved in configuring Wired network connections based on EAP-TEAP
  • New section related to Wireless network connections based on EAP-TEAP
  • New section related to ongoing configuration and modification of created GPO related to EAP-TEAP

 

Group Policy Preparation for EAP-TEAP

Configuring Group Policy support for EAP-TEAP varies slightly between wired and wireless connections, but the main steps are essentially the same.

 

Configuring Group Policy for Wireless Connections

The steps to prepare Group Policy based EAP-TEAP deployment for wireless connections are as follows:

  1. Create a wireless connection on a Windows 10 with at least build 2004 (the client must have a wireless network adapter installed) and configure on it your required EAP-TEAP related settings
  2. Export the configuration of the newly created wireless connection to an XML file using “netsh” command in Windows CLI
  3. Extract the EAP-TEAP specific configuration from the XML file and save it as a text file and then transfer the text file containing the extracted configuration to one of your Active Directory domain controllers
  4. Create a new Organizational Unit (OU), then create a new Group Policy Object (GPO) and link it to the OU. Afterwards, modify the GPO using the procedures mentioned later
  5. Backup the configuration of the GPO
  6. Replace the EAP configuration section of the backup file with the extracted configuration from Step 3
  7. Import the modified backup file to the created GPO in Step 5.
  8. The GPO is now ready with the EAP-TEAP configuration for deployment in production network

 

Step 1. Create A New Wireless Connection based on EAP-TEAP

 

rezaalikhani_0-1711730735046.pngrezaalikhani_1-1711730843496.pngrezaalikhani_2-1711730886673.pngrezaalikhani_5-1711731320433.pngrezaalikhani_7-1711731370470.pngrezaalikhani_8-1711731396253.pngrezaalikhani_9-1711731420082.pngrezaalikhani_10-1711731499537.png

Select your internal Root CA name from the "Trusted Root Certification Authorities" section. If you do not have internal Public Key Infrastructure (PKI), after importing the ISE certificates on the system using Group Policy or manually, select both ISEs certificates (if your clients configured to speak with two PSNs) from the mentioned section (doing this operation is beyond this document).

 
rezaalikhani_13-1711731733574.png

 

Step 2. Export the configuration of the newly created wireless connection to an XML file

After finishing the configuration above, open Windows CLI with an administrative credentials and then export the configuration above into an XML file. To do so, follow the steps below:

rezaalikhani_14-1711732721353.pngrezaalikhani_15-1711732739867.png

 

Step 3. Extract the EAP-TEAP specific configuration from the XML file

Open up the XML file and copy everything within <EAPConfig> ..... </EAPConfig> store in a text file to be used later.

rezaalikhani_16-1711732787227.png

Transfer the extracted configuration above and save in a text file to one your domain controllers.

 

Step 4. Create Group Policy to push “TEAP” configuration to wireless endpoints

Using Group Policy Management Console (gpmc.msc) on one of the existing domain controllers, create a new Group Policy Object (GPO) and then configure it based on the following configurations:

 As the below configurations may disrupt the current network operations on endpoints, create the GPO on an empty OU.

rezaalikhani_17-1711732965917.pngrezaalikhani_18-1711732991491.png

rezaalikhani_21-1711733028930.pngrezaalikhani_23-1711733059732.png

  rezaalikhani_25-1711733123740.png

  rezaalikhani_26-1711733160285.png

rezaalikhani_28-1711733188084.png

rezaalikhani_29-1711733215549.png

Leave the configuration as default as this configuration is dummy and will be overridden by the configuration exported from the Step 3.

 

Step 5. Backup the configuration of the GPO

rezaalikhani_30-1711733437679.png

rezaalikhani_31-1711733460906.png

rezaalikhani_33-1711733508501.png

Navigate to the folder where the backup was saved and open up the Backup.xml file in notepad.

rezaalikhani_34-1711733566926.png

 

Step 6. Replace the EAP configs section of the backup file with the extracted configs from Step 3

Replace the <EAPConfig> ... </EAPConfig> section with the generated "EAPConfig" and saved previously and then save the file:

rezaalikhani_35-1711733681297.png

 

Step 7. Import the modified backup file to the created GPO in Step 4

rezaalikhani_0-1711733831382.png

rezaalikhani_0-1711734000528.png

rezaalikhani_1-1711734017755.png

rezaalikhani_2-1711734034877.png

rezaalikhani_3-1711734905823.png

rezaalikhani_4-1711735715466.png

rezaalikhani_5-1711735738353.png

rezaalikhani_6-1711735758602.png

Now, with the above configuration, if you take a look at the configured settings done previously (mentioned in Step 4) to the created GPO, you'll find that the settings have disappeared. That is expected because Windows Server 2019 Group Policy does not support EAP-TEAP. By implementing the procedures done in Step 7, it assumes that the currently applied configurations have been corrupted.

Now, the easiest way to configure EAP-TEAP settings from now on is through a Windows 10 with at least build 2004, Windows 11 or Windows Server 2022 joined to the domain and that has the Group Policy Management Console installed locally.

 

Configuring Group Policy for Wired Connections

The steps to prepare Group Policy for wired connections are as follows:

  1. Start “Wired AutoConfig” service in a client with Windows 10 with at least build 2004
  2. Configure your required EAP-TEAP related options on the client specified in Step 1
  3. Export the configuration of the newly created wired connection to an XML file using “netsh” command in Windows CLI
  4. Extract the EAP-TEAP specific configuration from the XML file and save it as a text file and then transfer the text file containing the extracted configuration to one of your Active Directory domain controllers
  5. Create a new Organizational Unit (OU), then create a new Group Policy Object (GPO) and link it to the OU. Afterwards, modify the GPO using the procedures mentioned later
  6. Backup the configuration of the GPO
  7. Replace the EAP configuration section of the backup file with the extracted configuration from Step 3
  8. Import the modified backup file to the created GPO in Step 5
  9. The GPO is now ready with the EAP-TEAP configuration for deployment in production network

 

Step 1. Start “Wired AutoConfig” service

rezaalikhani_0-1711736752724.png

rezaalikhani_1-1711736785183.png

rezaalikhani_2-1711736799530.png

rezaalikhani_3-1711736814889.png

 

Step 2. Configure EAP-TEAP based on your current security policy

rezaalikhani_4-1711736851896.png

rezaalikhani_5-1711736865387.png

rezaalikhani_6-1711736878812.png

rezaalikhani_7-1711736892732.png

Select your internal Root CA name from the "Trusted Root Certification Authorities" section. If you do not have internal Public Key Infrastructure (PKI), after importing the ISE certificates on the system using Group Policy or manually, select both ISEs certificates (if your clients configured to speak with two PSNs) from the mentioned section (doing this operation is beyond this document).

rezaalikhani_8-1711736933073.png

 

Step 3. Export the configuration of the newly created wired connection to an XML file

rezaalikhani_9-1711736976622.png

The name specified in front of the “interface=” parameter is shown in the second figure of Step 2.

rezaalikhani_10-1711737000994.png

 

Step 4. Extract the EAP-TEAP specific configuration from the XML file

Open up the XML file and copy everything within <EAPConfig> ..... </EAPConfig> Store in a text file to be made available later.

rezaalikhani_0-1711737097376.png

Transfer the extracted configuration above and save in a text file to one of your domain controllers.

 

Step 5. Create Group Policy to push “TEAP” configuration to wired endpoints

Using Group Policy Management Console (gpmc.msc) on one of your Active Directory domain controllers, create a new Group Policy Object (GPO) and then configure it based on the following configurations:

As the below configurations may disrupt the current network operations on endpoints, create the GPO on an empty OU.

rezaalikhani_1-1711737502954.png

rezaalikhani_2-1711737519601.pngrezaalikhani_3-1711737545415.png

rezaalikhani_4-1711737548786.png

rezaalikhani_6-1711737595235.png

rezaalikhani_8-1711737676724.png

rezaalikhani_9-1711737689407.png

 

Step 6. Backup the configuration of the GPO

rezaalikhani_12-1711737777542.png

rezaalikhani_13-1711737794148.png

rezaalikhani_14-1711737812250.png

Navigate to the folder where the backup was saved and open up the Backup.xml file in notepad.

rezaalikhani_15-1711737842416.png

 

Step 7. Replace the EAP configs section of the backup file with the extracted configs from Step 4

Replace the <EAPConfig> ... </EAPConfig> section with the generated "EAPConfig" and saved previously and then save the file:

rezaalikhani_16-1711737910623.png

 

Step 8. Import the modified backup file to the created GPO in Step 5

rezaalikhani_17-1711737979532.png

rezaalikhani_0-1711738358117.png

rezaalikhani_1-1711738371744.png

rezaalikhani_2-1711738384456.png

rezaalikhani_3-1711738409979.png

rezaalikhani_4-1711738427745.png

rezaalikhani_5-1711738440778.png

rezaalikhani_6-1711738455438.png

Now, with the above configuration, if you take a look at the configured settings done previously (mentioned in Step 4) to the created GPO, you'll find that the settings have disappeared. That is expected because Windows Server 2019 Group Policy does not support EAP-TEAP. By implementing the procedures done in Step 8, it assumes that the currently applied configurations have been corrupted.

According to the above statement, the only supported way to configure EAP-TEAP settings is through a Windows 10 with at least build 2004, Windows 11 or Windows Server 2022 joined to the domain and that has the Group Policy Management Console installed locally.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents