Security

We currently have two services:

• Transparant proxy to NPS for MSCHAPv2 requests.
• EAP-TEAP 802.1x requests (machine + user) handled by Clearpass.

Both TEAP and MSCHAPv2 uses the same username domain suffix, so username cannot be used to select the service. Can the requests be matched on the authentication method? I tried Service filter Authentication:OuterMethod equals TEAP, but the initial anonymous user requests are no longer matched to the service because the computed authentication attribute is not present.

Any suggestions how to implement this?

I think I got it working by filtering on the 'anonymous' username to filter the TEAP requests and still forward all other EAP-MSCHAPv2 requests to the external Windows NPS:

You may utilize the Anonymous identity field and set the username in this field to TEAP or something else that distinguish the TEAP authentication.

you can also put it in the form teap@domain.com or similar.

This setting should be set from a GPO or Intune policy together with the rest of the 802.1x TEAP settings, instructing users do do it manually will render user errors.

Place the TEAP service above the proxy service.

The reason why you can't filter on the authentication method is that the Service filtering takes place before the authentication method is negotiated. So the only information you have is the initial RADIUS request including the user name if specified in the Anonymous field. The reason for this field is to be able to route requests to different service or servers without knowing the real username.

A well known case is EDUROAM where the request is either routed to the local RADIUS server or to a remote server for authentication.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Works like a charm, thank you!

Original Message:
Sent: Apr 03, 2025 10:43 AM
From: jonas.hammarback
Subject: How to diverse between EAP-TEAP and Radius Proxy MSCHAPv2

You may utilize the Anonymous identity field and set the username in this field to TEAP or something else that distinguish the TEAP authentication.

you can also put it in the form teap@domain.com or similar.

This setting should be set from a GPO or Intune policy together with the rest of the 802.1x TEAP settings, instructing users do do it manually will render user errors.

Place the TEAP service above the proxy service.

The reason why you can't filter on the authentication method is that the Service filtering takes place before the authentication method is negotiated. So the only information you have is the initial RADIUS request including the user name if specified in the Anonymous field. The reason for this field is to be able to route requests to different service or servers without knowing the real username.

A well known case is EDUROAM where the request is either routed to the local RADIUS server or to a remote server for authentication.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------