on 08-25-2020 05:29 PM
With Windows 10 build 2004 and ISE 2.7 Patch 2 TEAP (EAP Chaining) is now supported. It seems currently TEAP can only be configured manually for non-domain joined workstations. This is due to the TEAP option not available under the group policy configuration, for domain managed workstations. However I was able to push a group policy that enables TEAP, by exporting a group policy, changing some XML content related to the Windows Supplicant TEAP configuration, then importing again.
The process below outlines how to configure a TEAP group policy and push out to domain joined machines. The following is required:
1. Login to domain joined machine that will be used to generated the XML and ensure the defined options above have been enabled/imported
2. Under the Authentication tab on the Network Adapter properties set the Choose a network authentication drop down to Microsoft EAP-TEAP.
3.Click the Settings button next to the drop down
• Leave Enable identity privacy enabled with anonymous as the identity.
• Select the check mark next to the root CA server(s) under Trusted Root Certification Authorities that are used to sign the certificate for EAP authentication on the ISE PSN
• Under Client Authentication, set both the primary and secondary EAP method for authentication to Microsoft: Smart Card or other certificate
4.Under each EAP method drop down, click the Configure button.
• Use a certificate on this computer is the default setting.
• Leave Verify the server’s identity by validating the certificate enabled.
• Connect to these servers is optional (just like above).
• Select the check mark next to the root CA server(s) under Trusted Root Certification Authorities that are used to sign the certificate for EAP authentication on the ISE PSN.
• Click OK.
• Repeat for secondary method.
5. Return to Authentication tab and click the Additional Settings button.
• Enable Specify authentication mode
• Set the drop down to the appropriate setting. I am using User or computer authentication so that both are authenticated (computer on boot to login screen, computer and user when user logs in).
• Click OK.
• Click OK to exit the LAN connection properties.
6. Open a command prompt as administrator and execute the following commands:
netsh lan show profiles - Note down the interface name
netsh lan export profile folder=PATH_TO_FOLDER interface="INTERFACE_NAME"
An XML file will be generated with the required TEAP configuration. The interface name will be the name of the file in the location path set.
7. Open up the XML file and copy everything within <EAPConfig> ..... </EAPConfig> Store in a text file to be made available later
***To note the group policy is applied to all machines, you can configure this policy to only apply to certain groups.
1.Login to Domain Controller and open up Group Policy Management
2. Right click on the domain and select Create a GPO in this domain, and link it here
Name the new GPO
3. Right click on the newly created Policy and click Edit, navigate to:
4. Navigate to:
5. Name the Policy and move to Security tab and select the following (This is dummy configuration)
6. Right click on the Group Policy created and select Back Up...
Select the location to save the backup and click Backup
7. Navigate to the folder where the backup was saved and open up the Backup.xml file in notepad.
8. Replace the <EAPConfig> ... </EAPConfig> section with the generated EAPConfig created and saved previously:
Existing
Replaced
Ensure you save the notepad file
9. Right click on the Group Policy again and select Import Settings
10. Navigate back to the Wired Network (IEEE 802.3) Policies and edit the Policy that was created. You will see that it will not display the TEAP configuration because it is unsupported but will display some similar to this:
1. Login to test workstation that has a user & machine certificate and has been enabled to receive the group policy. Open up a cmd and execute the following command:
gpupdate /force - This will force a group policy update
gpupdate /scope /computer /v - This confirms the group policy has been applied, look under Applied Group Policy Objects:
2. Navigate to the wired network adapter under Authentication and you will see Microsoft: EAP-TEAP is selected as the authentication method. If you navigate around the rest of the Authentication settings will match what was created via the XML.
1. Navigate to Policy -> Policy Elements -> Results -> Authentication -> Allowed Protocols, Select the Allowed Protocols service that is used in your existing Policy.
2. Navigate to your wired dot1x policy and ensure their is an EAP-TLS authentication Policy
3. Create two authorization policies. The first rule will be the machine authentication. The condition will check if the machine is authenticated but the user is not. The second rule will be the user and machine authentication. The condition for this rule will check if the user and the machine has successfully authenticated. Both rules use the Network Access · EapChainingResult attribute.
@hslai I just noticed your post, thank you!
@Arne Bierhave you tried TEAP in production deployments? Can you please share some feedback? This is with regards to your old question here:
What's been the general feeing about EAP-TEAP for Windows 10 clients? Does it solve all the use case issues that were previously only solved with AnyConnect NAM?
@SergGu I have not seen it in production so far. I had one customer who was keen to try it but their Windows Server was not up-to-date to allow the TEAP settings to be pushed by Group Policy. There is a minimum version (I can't remember). But I now also believe that even an older Server version can push any arbitrary registry settings - perhaps that would have been a solution too. In my customer space this has yet to see any traction
Reading through this, has their been an update if there is a configuration guide on how to deploy TEAP wireless with GPOs?
@sljohnson Did you find a way of deploying TEAP Wireless with Group Policy Objects for Windows Server 2019 and below?
@tfriedrich4733 Did you find a way of deploying TEAP Wireless with GPO? I'm having the same issues you have mentioned.
if you don't see TEAP options among the GPOs in your Windows servers you can create them on any win10/11 workstation with RSAT and then you can still deploy them with your Windows server, the only issue is that you will not see the options configured in your windows server but they work just fine on the workstations once deployed.
here on how to install RSAT : https://community.cisco.com/t5/security-knowledge-base/teap-for-windows-10-using-group-policy-and-ise-teap/tac-p/4141811/highlight/true#M6958
Has any pushed the GPO to Windows 11? I tried doing the GPO for Windows 11 but it still shows PEAP.
I tried in a Wireless dot1x with machine authentication using Certificate(EAP-TLS) and for user authentication using AD Credentials ( ( EAP-MSCHAP2)) to log in to SSID after machine authenticated successfully, but this scenario could not work for me, does anyone have idea, the correct steps to configure.
Thanks
@filitech Please make a new post at Network Access Control - Cisco Community.
The default authorization rule is to give DenyAccess. Try PermitAccess, instead. The other two rules are matching on SSID and that might not be working for some reason.
I was able to create this profile both ways, using the xml export/import and also using the Server 22, recreating the wired profile.
My problem is, the GPO applies on Windows 11 but does not apply on Windows 10. Has anyone seen this issue? It sees the policy just doesn't apply it for unknown reasons. Windows 10 22H2, latest patches. Windows 11 22H2 latest patches.
Windows 11:
Windows 10:
GPO:
@a.sali - this is not a fix, but we have found that if you untick the Trusted Root CA in the GPO it will deploy on Windows 10. We have currently got a case logged with Microsoft.
If others are also able to log with Microsoft that might help, their first response was to upgrade to Windows 11! - which is not an option for us due to the size and complexity of our estate.
Dear Cisco Experts,
I would like to share some insight with you all. I decided to test if TEAP Chaining will work with method1:Certificate for the machine and Method2:MS-CHAPv2 for User authentication. No matter how hard I was trying on Wired or Wireless, it was not working. It was just failing without completing TEAP.
After some time, I identified the reason and would like to share it with the community:
For more detials please refer to https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues
There is also a hint that MS-CHAPv2 not supported with ISE and LDAP. But perhaps it is working when ISE is "joined" into the domain.
Good luck all!
@giovanni.augusto wrote: MSCHAPv2 for user authentication
It is strange that MSCAPv2 is not used in any of the examples on Cisco websites or on the Internet. Hope you are fine with users with expired passwords, or it is handled by "User Fialed and Machine Susceeded" rule.
Are you using Virtulisation-based security and, more specifically CredentialGuard on endpoints in your environment? Can you please check with System Information (normal user, no need for admin). Please see the screenshot below:
The screenshot shows two machines without and with Credential Guard.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: