This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EAP-TEAP Machine auth

EAP-TEAP Machine auth

Patrick_Fowler
New Contributor

‎06-26-2025 01:19 PM

I have a requirement to implement EAP-TEAP for multiple customers to resolve an issue when using EAP-TLS and a new user logins to a computer.  No user certificate is on the computer, authentication fails.  EAP-TEAP will resolve this issue.  

I have EAP-TEAP working for user authentication however if the user logs off or the computer is rebooted, the computer fails authentication.   I discussed this with TAC and currently ExtremeControl only supports machine + user auth.    Machine authentication is a must.   

 

 

I have followed this KB article:  https://extreme-networks.my.site.com/ExtrArticleDetail?an=000113008&q=eap-teap

Any suggestions are welcome. 

0 Kudos
3 REPLIES 3

Ryan_Yacobucci
Extreme Employee

‎06-30-2025 05:24 AM

Hello Pat,

It was theorized that if a device can be configured to use a different 802.1x method of Computer authentication than it does for user authentication this may be a workaround for the issues with the limitations of our EAP-TEAP deployment.

If Computer Authentication could perform EAP-TLS while the user authentication performs EAP-TEAP it would allow for 802.1x authentication at both machine and user levels. 

I have not put any time into figuring out if this is a viable Microsoft configuration, or how this could be achieved through GPO or InTune configurations. 

Thanks
-Ryan

0 Kudos

Patrick_Fowler
New Contributor

‎06-27-2025 09:32 AM

Thanks Rob for the reply. 

All of our customers that will use EAP-TEAP will be managed by AD using GPO's and or Intune which includes the wired/wireless settings and the computer/user certificates.    The problem is, currently, ExtremeControl doesn't support machine authentication.   EAP-TEAP uses machine auth (primary method)  and then machine auth with user (secondary method). 

Right now the computer can't authenticate to the network.  When a new user logs into a computer, they are not able to login since the computer isn't able to connect to the domain controllers and the CA server for the cert.  If the machine was authenticated first then the user could use that authentication to contact the DCs and the CA server.  After the user cert was installed, the user can authenticate using EAP-TEAP.   

I've talked with my local SE about this and I asked that this to be a feature request. This is a must have if anyone would wants to use EAP-TEAP.  The computer has to be connected to the network.  

If there is another way of doing this until the machine auth is added I'm open for suggestions.  

 

 

0 Kudos

Robert_Haynes
Extreme Employee

‎06-27-2025 06:09 AM

Hello Patrick.

Assuming a clean slate / new machine that machine would need to be GPO managed and provisioned either way. The default profile could be to have the client do PEAP user authentication to get on the network and once authenticated and accessible to Active Directory the client could have a new GPO policy pushed that is EAP-TEAP along with a required machine certificate (which should be present simply by GPO as a managed device) and either a user-specific client cert (for TLS) or user credentials cached for user-auth. The details however I can not provide; not something we manage from a PC / GPO perspective.

0 Kudos
GTM-P2G8KFN