Windows 10 AlwaysON VPN with EAP-TEAP

Stanislav Bachtin 1 Reputation point
2020-10-08T12:12:44.94+00:00

Hello Guys,

We are currently looking into using a new AlwaysOn VPN with EAP-TEAP against Cisco ASA + Cisco ISE Pair. We have tested everything with EAP-TLS (with User Certificate) and EAP-PEAP + EAP-Mschapv2 (User against AD) and everything seems to be working flawlessly. But with EAP-TEAP the User Authentication Part seems to be failing no matter what, with both EAP-TLS and EAP-PEAP as Internal User Authentication Methods. On the ISE I see this message:

Supplicant declined inner EAP method selected by Authentication Policy but did not proposed another one; inner EAP negotiation failed

The Machine part of the Authentication works without Problems (again, both EAP-PEAP and EAP-TLS work here). So as I see it:

1) TEAP Tunnel was successfully negotiated

2) Windows 10 VPN Supplicant declines the first inner tunnel establishment no matter what

3) The second authentication tunnel for Machine Authentication was then negotiated and completed successfully.

I have tested the same machine against the same ISE, but with Wired 802.1x and there EAP-TEAP works without problems (with all possible combinations of EAP-Mschapv2 and EAP-TLS as internal methods). So it makes me think, that the problem lies with Windows 10 VPN Client.

Is this a known bug or am I missing something here?

Cheers

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,274 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gloria Gu 3,891 Reputation points
    2020-10-12T03:16:53.12+00:00

    Hi,

    Thank you for posting in Q&A!

    With Windows 10 build 2004 and ISE 2.7 Patch 2 TEAP (EAP Chaining) is now supported since May 2020, but it seems currently TEAP can only be configured manually for non-domain joined workstations. This is due to the TEAP option not available under the group policy configuration, for domain managed workstations.

    If your win10 clients are domain joined, you have to push a group policy that enables TEAP, by exporting a group policy, changing some XML content related to the Windows Supplicant TEAP configuration.

    For more details, please refer to:
    https://community.cisco.com/t5/security-documents/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Stanislav Bachtin 1 Reputation point
    2020-10-15T08:48:24.647+00:00

    Hello Gloria,

    Thank you for your time. We have opened a Ticket with Microsoft Support, the problem is being investigated now.

    Cheers,
    S.

  3. Stanislav Bachtin 1 Reputation point
    2020-12-17T17:14:56.647+00:00

    Hello Gloria,

    We have an official confirmation from Microsoft, that the problem lies within MS VPN Client software, which was not properly updated to support EAP-TEAP. We have asked for this feature to be implementet and it should be added to the Development-Roadmap either for 2021 or 2022.

    Cheers,
    S.