Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure EAP-TEAP Authentication for a Windows Device

To secure your network, follow these steps to configure a client device for EAP-TEAP (Tunneled Extensible Authentication Protocol) authentication.

Tunneled Extensible Authentication Protocol (TEAP) is a tunnel-based EAP method that enables secure communication between a peer and a server by using the Transport Layer Security (TLS) protocol to establish a mutually authenticated tunnel. Within the tunnel, TLV objects are used to convey authentication-related data between the EAP peer and the EAP server. (RFC 7170 - Tunnel Extensible Authentication Protocol )

Note: Juniper Mist Access Assurance supports EAP-TEAP, requiring mandatory machine and user authentication, with EAP-TLS as the authentication method for both.

Currently TEAP support is available for Windows 10 Version and above.

As of now, you can configure wireless and wired profile with TEAP manually or through scripts, which can be distributed using MDM or GPO. Current MDM solutions do not provide out-of-the box support for TEAP configuration.

To configure EAP-TEAP on a Windows device:

  1. On your Windows device, navigate to Control Panel > Network and Internet > Network and Sharing Center. Then, click Set up a new connection or network.
  2. Select Manually connect to a wireless network and click Next.
  3. Enter the following details for the wireless network and click Next:

    • Network name—Provide an SSID name.

    • Security type—Select the WPA2-Enterprise or WPA3-Enterprise option.

  4. Click Change connection settings.

    The Wireless Network Properties dialog box appears.

  5. Select the Security tab and select TEAP under Choose a network authentication method. Then, click Settings.

  6. Select the following options in the TEAP Properties dialog box:
    • Identity privacy—The Identity is set to anonymous by default, but you can override it to the desired identity if necessary.
    • Connect to these servers—Enter auth.mist.com if you're using the default Mist Access Assurance server certificate. If you're using a custom RADIUS server certificate, provide the certificate SAN:DNS name.
    • Trusted Root Certification Authorities—Select the Mist Org CA certificate (or your custom RADIUS server certificate).
    • Authentication Method—Select Microsoft: Smart Card or other certificate (EAP-TLS) as the Primary and Secondary EAP methods for authentication.

  7. Click Configure for both the primary and secondary EAP methods. In the Smart Card or other certificate Properties dialog box that appears for each:

    • Ensure that the Use simple certificate selection (Recommended) option is selected.

    • Select the trusted root Certificate Authority (CA) that enables the client to trust the Mist Access Assurance server certificate. Ensure that you select the same CA for both the primary and secondary EAP methods

    • Click OK.

  8. In the Security tab of the Wireless Network Properties dialog box, click Advanced settings.
  9. In the Advanced settings dialog box:
    1. Select the Specify authentication mode check box and choose User or Computer authentication.
    2. Click OK and then click Close.
  10. Verify the configuration:
    1. In the Juniper Mist portal, create an authentication policy. Add a rule to allow the TEAP Auth Type.
    2. Add the CA certificate to enable Juniper Mist Access Assurance to trust client certificates issued by your added CAs. To add the certificate, navigate to the Organization > Access > Certificates> Add Certificate Authority page. For detailed steps about adding a CA certificate, see Use Certificate Authority (CA) Certificate.
    3. Connect the client device to the network.
    4. Navigate to the Monitor > Service Levels > Insights page and go to the Client Events section. Verify the NAC Client authentication events.

Related Documentation