Eap Chaining Windows 10

1/6/2022by admin

Easy Automatic Printer is a free, open-source and easy-to-use printer utility for Windows. (XP to 10) It sends multiple files to a print queue automatically. Select the files you want to print, and press the print button: all the files will be sent to the print queue one by one. You can also stop, resume and pause the process. I would like to know if there is some workaround to support EAP chaining trough Aruba controller. We tried to set up a controller with a Cisco ISE AAA server in the enviroment where the customer is using EAP chaining (EAP-Fast v2 from Cisco) for user and device authentication. ISE EAP-Chaining with machine, certificate and domain credential Thank you for the replies. Going back to the customer, and they don't want to load any extra clients on their machines, so I have to work within the restrictions of the WIndows native supplicant.

-->

Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.

If you use PEAP, EAP-FAST, or Cisco LEAP in your enterprise network, you probably already know that these three wireless authentication protocols are not supported by Surface devices out of the box. Some users may discover this when they attempt to connect to your wireless network; others may discover it when they are unable to gain access to resources inside the network, like file shares and internal sites. For more information, see Extensible Authentication Protocol.

You can add support for each protocol by executing a small MSI package from a USB stick or from a file share. For organizations that want to enable EAP support on their Surface devices, the MSI package format supports deployment with many management and deployment tools, like the Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager.

Windows 10 Eap Chaining

Download PEAP, EAP-FAST, or Cisco LEAP installation files

You can download the MSI installation files for PEAP, EAP-FAST, or Cisco LEAP in a single zip archive file from the Microsoft Download Center. To download this file, go to the Surface Tools for IT page on the Microsoft Download Center, click Download, and then select the Cisco EAP-Supplicant Installer.zip file.

Deploy PEAP, EAP-FAST, or Cisco LEAP with MDT

If you are already performing a Windows deployment to Surface devices in your organization, it is quick and easy to add the installation files for each protocol to your deployment share and configure automatic installation during deployment. You can even configure a task sequence that updates previously deployed Surface devices to provide support for these protocols using the same process.

To enable support for PEAP, EAP-FAST, or Cisco LEAP on newly deployed Surface devices, follow these steps:

Chaining
  1. Download and extract the installation files for each protocol to separate folders in an easily accessible location.

  2. Open the MDT Deployment Workbench and expand your deployment share to the Applications folder.

  3. Select New Application from the Action pane.

  4. Choose Application with source files to copy the MSI files into the Deployment Share.

  5. Select the folder you created in step 1 for the desired protocol.

  6. Name the folder in the deployment share where the installation files will be stored.

  7. Specify the command line to deploy the application:

    • For PEAP use EAP-PEAP.msi /qn /norestart.

    • For LEAP use EAP-LEAP.msi /qn /norestart.

    • For EAP-FAST use EAP-FAST.msi /qn /norestart.

  8. Use the default options to complete the New Application Wizard.

  9. Repeat steps 3 through 8 for each desired protocol.

After you’ve performed these steps to import the three MSI packages as applications into MDT, they will be available for selection in the Applications page of the Windows Deployment Wizard. Although in some simple deployment scenarios it might be sufficient to have technicians select each package at the time of deployment, it is not recommended. This practice introduces the possibility that a technician could attempt to apply these packages to computers other than Surface devices, or that a Surface device could be deployed without EAP support due to human error.

To hide these applications from the Install Applications page, select the Hide this application in the Deployment Wizard checkbox in the properties of each application. After the applications are hidden, they will not be displayed as optional applications during deployment. To deploy them in your Surface deployment task sequence, they must be explicitly defined for installation through a separate step in the task sequence.

To specify the protocol(s) explicitly, follow these steps:

  1. Open your Surface deployment task sequence properties from the MDT Deployment Workbench.

  2. On the Task Sequence tab, select the Install Applications step under State Restore. This is typically found between the pre-application and post-application Windows Update steps.

  3. Use the Add button to create a new Install Application step from the General category.

  4. Select Install a single application in the step Properties tab.

  5. Select the desired EAP protocol from the list.

  6. Repeat steps 2 through 5 for each desired protocol.

Deploy PEAP, EAP-FAST, or Cisco LEAP with Configuration Manager

For organizations that manage Surface devices with Configuration Manager, it is even easier to deploy PEAP, EAP-FAST, or Cisco LEAP support to Surface devices. Simply import each MSI file as an application from the Software Library and configure a deployment to your Surface device collection.

For more information on how to deploy applications with Configuration Manager see How to Create Applications in Configuration Manager and How to Deploy Applications in Configuration Manager.

Cisco ISE 2.7 and Windows 10 build 2004 (May 2020) added support for TEAP. This is a huge step forward because it will allow us to perform user and machine authentication at the same time. Previously, doing this required the AnyConnect NAM module and configuring EAP Chaining (Windows only). Now, we can utilize the Windows native supplicant to perform the same action.

The setup for this configuration is as follows:

  • Cisco ISE 2.7 with Patch 1
  • Windows 10 build 2004 (May 2020)

Cisco ISE Configuration

I’m using the Default Network Access allowed protocols but you can easily set it to just the protocols you require (recommended). In the default protocols, I’m enabling TEAP and EAP Chaining.

I then modify my wired (since that’s what I’m testing) 802.1x policy set.

I already have my authentication policy configured for EAP-TLS with an identity source sequence using a Certificate Authentication Profile that is found under Administration > Identity Management.

The authorization policy is going to be updated to include two new rules. The first rule will be the machine authentication. The condition will check if the machine is authenticated but the user is not. The second rule will be the user and machine authentication. The condition for this rule will check if the user and the machine has successfully authenticated. Both rules use the Network Access · EapChainingResult attribute.

That completes the configuration on the ISE node.

Windows TEAP configuration

I’ll be configuring the wired authentication settings for this example. Go to the Authentication tab under the properties of the LAN connection (Control Panel > Network and Sharing Center > Change adapter settings > right-click LAN connection > Properties).

  1. Set the Choose a network authentication drop down to Microsoft EAP-TEAP.
  2. Click the Settings button next to the drop down.
    • Leave Enable identity privacy enabled with anonymous as the identity.
    • The Connect to these servers field is optional but can be used to ensure endpoints only authenticate to specific RADIUS (ISE PSN) nodes.
    • Place a checkmark next to the root CA server(s) under Trusted Root Certification Authorities that are used to sign the certificate for EAP authentication on the ISE PSN.
    • Under Client Authentication, I’m setting both the primary and secondary EAP method for authentication to Microsoft: Smart Card or other certificate.*
    • Under each EAP method drop down, click the Configure button.
      • Use a certificate on this computer is the default setting.
      • Leave Verify the server’s identity by validating the certificate enabled.
      • Connect to these servers is optional (just like above).
      • Place a checkmark next to the root CA server(s) under Trusted Root Certification Authorities that are used to sign the certificate for EAP authentication on the ISE PSN.
      • Click OK.
      • Repeat for secondary method.
    • Click the Additional Settings button.
      • Enable Specify authentication mode
      • Set the drop down to the appropriate setting. I am using User or computer authentication so that both are authenticated (computer on boot to login screen, computer and user when user logs in).
      • Click OK.
    • Click OK to exit the LAN connection properties.

Testing the configuration

Eap Chaining Windows 10 Pro

Now that the Windows 10 configuration is complete, it is time to test. I rebooted the computer to get a clean Live Logs entry. The initial connection was successful! The Live Logs showed anonymous,host/WIN10-ADMIN.securitydemo.net for the identity. This was expected as we set the identity privacy to use anonymous as the username. Because this was only a machine authentication, there is no user identity to send so anonymous is basically a place holder.

Logging in to the machine with an AD account was also successful. Checking the Live Logs again showed [email protected],host/WIN10-ADMIN.securitydemo.net for the identity. Notice anonymous has been changed to the user account now that a user account is actually present. Both entries showed that the SecDemo-EAPTLS authentication policy was used to authenticate the sessions.

Looking at the session details we now have a few new fields in the session details. Most notably is NACRadiusUserName and EapChainingResult under Other Attributes. Machine authentications will only show a single NACRadiusUsername entry but the chained user and machine authentication will show two entries (one for user, one for machine). You can also verify in the session details, under the Authentication Details section, that TEAP (EAP-TLS) was used for the Authentication Protocol.

* If your deployment is currently using MSCHAPv2 for machine and user authentication, set the secondary EAP method for authentication to Microsoft: Secured password (EAP-MSCHAP v2).

Update

So I found out there is a bug in release 2.7 (Patch 1 and unpatched) preventing you from utilizing AD groups in the authorization rule. ISE is not pulling AD group information properly when using EAP chaining so the authorization rule containing an AD group condition will not match. The bug ID is CSCvt18613. Hopefully it will be fixed in 2.7 patch 3.

Comments are closed.