With Windows 10 build 2004 and ISE 2.7 Patch 2 TEAP (EAP Chaining) is now supported. It seems currently TEAP can only be configured manually for non-domain joined workstations. This is due to the TEAP option not available under the group policy configuration, for domain managed workstations. However I was able to push a group policy that enables TEAP, by exporting a group policy, changing some XML content related to the Windows Supplicant TEAP configuration, then importing again.
The process below outlines how to configure a TEAP group policy and push out to domain joined machines. The following is required:
- All machines updated to Windows 10 Build 2004
- ISE upgraded to 2.7 Patch 2
- Domain joined machine (Used to generate XML config) that has the following:
- Wired autoconfig service enabled
- Network Adapter authentication tab configurable
- Root CA certificate for trust installed (Root CA that signed the RADIUS certificate ISE will present)
- Domain joined machine or group of machines to push group policy to
- Domain controller (Example was on Server 2016 Standard with latest updates installed (2020-07 Cumulative Update (KB4565511) and 2020-07 Servicing Stack Update (KB4565912))
Generate XML File
1. Login to domain joined machine that will be used to generated the XML and ensure the defined options above have been enabled/imported
2. Under the Authentication tab on the Network Adapter properties set the Choose a network authentication drop down to Microsoft EAP-TEAP.
3.Click the Settings button next to the drop down
• Leave Enable identity privacy enabled with anonymous as the identity.
• Select the check mark next to the root CA server(s) under Trusted Root Certification Authorities that are used to sign the certificate for EAP authentication on the ISE PSN
• Under Client Authentication, set both the primary and secondary EAP method for authentication to Microsoft: Smart Card or other certificate
4.Under each EAP method drop down, click the Configure button.
• Use a certificate on this computer is the default setting.
• Leave Verify the server’s identity by validating the certificate enabled.
• Connect to these servers is optional (just like above).
• Select the check mark next to the root CA server(s) under Trusted Root Certification Authorities that are used to sign the certificate for EAP authentication on the ISE PSN.
• Click OK.
• Repeat for secondary method.
5. Return to Authentication tab and click the Additional Settings button.
• Enable Specify authentication mode
• Set the drop down to the appropriate setting. I am using User or computer authentication so that both are authenticated (computer on boot to login screen, computer and user when user logs in).
• Click OK.
• Click OK to exit the LAN connection properties.
6. Open a command prompt as administrator and execute the following commands:
netsh lan show profiles - Note down the interface name
netsh lan export profile folder=PATH_TO_FOLDER interface="INTERFACE_NAME"
An XML file will be generated with the required TEAP configuration. The interface name will be the name of the file in the location path set.
7. Open up the XML file and copy everything within <EAPConfig> ..... </EAPConfig> Store in a text file to be made available later
Create Group Policy to push TEAP configuration to Workstations
***To note the group policy is applied to all machines, you can configure this policy to only apply to certain groups.
1.Login to Domain Controller and open up Group Policy Management
2. Right click on the domain and select Create a GPO in this domain, and link it here
Name the new GPO
3. Right click on the newly created Policy and click Edit, navigate to:
- Computer Configuration -> Policies -> Windows Settings ->Security Settings -> System Services
- Double Click Wired AutoConfig service, select the define this policy setting and set the service startup mode mode to Automatic
4. Navigate to:
- Computer Configuration -> Policies -> Windows Settings ->Security Settings -> Wired Network (IEEE 802.3) Policies
- Right click in right area and select Create A New Wired Network Policy for Windows Vista and Later Releases
5. Name the Policy and move to Security tab and select the following (This is dummy configuration)
- Select tick box Enable use of IEEE 802.11X authentication for network access
- Select PEAP as the network authentication method
- Select User or Computer authentication as the authentication mode
6. Right click on the Group Policy created and select Back Up...
Select the location to save the backup and click Backup
7. Navigate to the folder where the backup was saved and open up the Backup.xml file in notepad.
8. Replace the <EAPConfig> ... </EAPConfig> section with the generated EAPConfig created and saved previously:
Existing
Replaced
Ensure you save the notepad file
9. Right click on the Group Policy again and select Import Settings
- Don't worry about backing up the policy this has already been completed, click next -> next
- Select the location where the backup was created previously and contains the edited Backup.xml file
- Select Next -> Finish -> OK
- You will see the GPO status is Succeeded
10. Navigate back to the Wired Network (IEEE 802.3) Policies and edit the Policy that was created. You will see that it will not display the TEAP configuration because it is unsupported but will display some similar to this:
Confirming Domain Joined Workstation has received TEAP configuration:
1. Login to test workstation that has a user & machine certificate and has been enabled to receive the group policy. Open up a cmd and execute the following command:
gpupdate /force - This will force a group policy update
gpupdate /scope /computer /v - This confirms the group policy has been applied, look under Applied Group Policy Objects:
2. Navigate to the wired network adapter under Authentication and you will see Microsoft: EAP-TEAP is selected as the authentication method. If you navigate around the rest of the Authentication settings will match what was created via the XML.
Configure ISE for TEAP
1. Navigate to Policy -> Policy Elements -> Results -> Authentication -> Allowed Protocols, Select the Allowed Protocols service that is used in your existing Policy.
- Ensure Allow TEAP is ticked, and Enable EAP Chaining tick box is also selected
2. Navigate to your wired dot1x policy and ensure their is an EAP-TLS authentication Policy
3. Create two authorization policies. The first rule will be the machine authentication. The condition will check if the machine is authenticated but the user is not. The second rule will be the user and machine authentication. The condition for this rule will check if the user and the machine has successfully authenticated. Both rules use the Network Access · EapChainingResult attribute.
I tried in a Wireless dot1x with machine authentication using Certificate(EAP-TLS) and for user authentication using AD Credentials ( ( EAP-MSCHAP2)) to log in to SSID after machine authenticated successfully, but this scenario could not work for me, does anyone have idea, the correct steps to configure.
Thanks
I was able to create this profile both ways, using the xml export/import and also using the Server 22, recreating the wired profile.
My problem is, the GPO applies on Windows 11 but does not apply on Windows 10. Has anyone seen this issue? It sees the policy just doesn't apply it for unknown reasons. Windows 10 22H2, latest patches. Windows 11 22H2 latest patches.
Windows 11:
Windows 10:
GPO:
@giovanni.augusto wrote: MSCHAPv2 for user authentication
It is strange that MSCAPv2 is not used in any of the examples on Cisco websites or on the Internet. Hope you are fine with users with expired passwords, or it is handled by "User Fialed and Machine Susceeded" rule.
Are you using Virtulisation-based security and, more specifically CredentialGuard on endpoints in your environment? Can you please check with System Information (normal user, no need for admin). Please see the screenshot below:
The screenshot shows two machines without and with Credential Guard.