05-30-2024 07:11 AM - edited 05-31-2024 10:52 PM
With Windows 10 build 2004 and ISE 2.7 Patch 2, EAP-TEAP is now supported. However, if you are using Microsoft Active Directory based on Windows Server 2019 and below operating systems, EAP-TEAP can only be configured manually for non-domain joined workstations. This is because the "TEAP" option is not available under the group policy configuration for domain-managed workstations.
In this document, I will introduce a workaround to resolve this limitation. However, if you upgrade your domain controllers' operating system to Windows Server 2022, you won't need this workaround, as this version supports configuring EAP-TEAP through Group Policy natively.
This article is based on "TEAP for Windows 10 using Group Policy and ISE TEAP Configuration" with the following additions and modifications:
Configuring Group Policy support for EAP-TEAP varies slightly between wired and wireless connections, but the main steps are essentially the same.
The steps to prepare Group Policy based EAP-TEAP deployment for wireless connections are as follows:
Select your internal Root CA name from the "Trusted Root Certification Authorities" section. If you do not have internal Public Key Infrastructure (PKI), after importing the ISE certificates on the system using Group Policy or manually, select both ISEs certificates (if your clients configured to speak with two PSNs) from the mentioned section (doing this operation is beyond this document).
After finishing the configuration above, open Windows CLI with an administrative credentials and then export the configuration above into an XML file. To do so, follow the steps below:
Open up the XML file and copy everything within <EAPConfig> ..... </EAPConfig> store in a text file to be used later.
Transfer the extracted configuration above and save in a text file to one your domain controllers.
Using Group Policy Management Console (gpmc.msc) on one of the existing domain controllers, create a new Group Policy Object (GPO) and then configure it based on the following configurations:
As the below configurations may disrupt the current network operations on endpoints, create the GPO on an empty OU.
Leave the configuration as default as this configuration is dummy and will be overridden by the configuration exported from the Step 3.
Navigate to the folder where the backup was saved and open up the Backup.xml file in notepad.
Replace the <EAPConfig> ... </EAPConfig> section with the generated "EAPConfig" and saved previously and then save the file:
Now, with the above configuration, if you take a look at the configured settings done previously (mentioned in Step 4) to the created GPO, you'll find that the settings have disappeared. That is expected because Windows Server 2019 Group Policy does not support EAP-TEAP. By implementing the procedures done in Step 7, it assumes that the currently applied configurations have been corrupted.
Now, the easiest way to configure EAP-TEAP settings from now on is through a Windows 10 with at least build 2004, Windows 11 or Windows Server 2022 joined to the domain and that has the Group Policy Management Console installed locally.
The steps to prepare Group Policy for wired connections are as follows:
Select your internal Root CA name from the "Trusted Root Certification Authorities" section. If you do not have internal Public Key Infrastructure (PKI), after importing the ISE certificates on the system using Group Policy or manually, select both ISEs certificates (if your clients configured to speak with two PSNs) from the mentioned section (doing this operation is beyond this document).
The name specified in front of the “interface=” parameter is shown in the second figure of Step 2.
Open up the XML file and copy everything within <EAPConfig> ..... </EAPConfig> Store in a text file to be made available later.
Transfer the extracted configuration above and save in a text file to one of your domain controllers.
Using Group Policy Management Console (gpmc.msc) on one of your Active Directory domain controllers, create a new Group Policy Object (GPO) and then configure it based on the following configurations:
As the below configurations may disrupt the current network operations on endpoints, create the GPO on an empty OU.
Navigate to the folder where the backup was saved and open up the Backup.xml file in notepad.
Replace the <EAPConfig> ... </EAPConfig> section with the generated "EAPConfig" and saved previously and then save the file:
Now, with the above configuration, if you take a look at the configured settings done previously (mentioned in Step 4) to the created GPO, you'll find that the settings have disappeared. That is expected because Windows Server 2019 Group Policy does not support EAP-TEAP. By implementing the procedures done in Step 8, it assumes that the currently applied configurations have been corrupted.
According to the above statement, the only supported way to configure EAP-TEAP settings is through a Windows 10 with at least build 2004, Windows 11 or Windows Server 2022 joined to the domain and that has the Group Policy Management Console installed locally.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: