Security

Hello 👋 Guys,

This is a long shot but I thought I would ask. I have successfully implement Eap-Teap in my testing environment. I was wondering how did you guys deploy it in production.

 Delete the old wifi profile and pushed new ones. But users would need to be connected to the network for this to work. I would need to create another temp access point for this transition. 

I don't wan't to go that route as I want a smooth transition. 

Does anybody has another suggestion? I am deploying this through intone by the way.

Thanks

You could either migrate to a different WLAN/SSID or trust that pushing the new supplicant configuration using the existing SSID will work.  Definitely recommend testing the process.

Not a long shot and good question.  We did the same thing in our enviroment.

Here is what I have setup:

Copy your EAP-TLS service. 
Add a new condition to the service "Radius:IETF - User-Name=anonymous". 
Set the authentication method to EAP-TEAP.
Make sure the new copied service is above the old EAP-TLS service.

This works because EAP-TLS will send the username in the RADIUS request.  With EAP-TEAP, the username will always be anonymous.

I currently have both EAP-TEAP and EAP-TLS running in our environment due to apple devices.  If it is a windows device, it will hit the first service due to matching user-name=anonymous.  If the user-name is not anonymous, it will hit the next service which is EAP-TLS.  I only allow apple devices to do cert auth without machine auth.



Ignore my NOT_BELONGs_TO_GROUP rule.  I use a SHL so that I can bypass (not match) services for testing.

Here is the EAP-TLS service

Thanks everyone for your input. 

I currently have the same set up as you as I have moved the EAP-Teap above so that rule gets hit first. Mflowers@beta.team" data-itemmentionkey="b0aafaf1-bdc8-461e-b2c1-62656eb23e5b" biobubblekey="mentionf778aa81-7f17-4336-ad60-0f6d4583d23a" href="https://airheads.hpe.com/profile?UserKey=f778aa81-7f17-4336-ad60-0f6d4583d23a" data-can-remove="False">@Mflowers@beta.team

Regarding your Wifi profile, how did you send the config. Because we have two SSID, one for company uses and the other one for guesses. 

I have send the new config to the same SSID but it only took effect when I rebooted the computer for sure. I am a little bit excited about that but I will keep doing some testing.

Thanks

We send our wireless profile to computers using Intune and Kandji (apple MDM).  

When we moved from EAP-TLS to EAP-TEAP, I updated the wireless profile in Intune.  I started with some test machines, then to the IT-Team, then to employees laptops and finally critical production systems/all windows machines.  This was a while ago and I don't remember if the machines needed a reboot before the change took affect or not. 

I remember everything went smoothly and I didn't have any issues.