Security

Hi All,

I am trying to configure EAP-TEAP for Windows 11 machines and see that it does not allow me to select "Automatically use my Windows logon name and password.." option which is greyed out.  (see below).  Appreciate if someone can advise how to fix this. 

I found this (https://learn.microsoft.com/en-us/answers/questions/1036203/cant-configure-teap-settings-for-wired-connection) article but seems it just not a straight forward and also not sure this will have any security breach. 

See if you can setup the profile and export it to an XML.  Once you have the XML, see if you can import it to the computer while Device Guard is enabled.

1. Disable Device Guard:
   - gpedit.msc -> Computer Configuration | Administrative Templates | System | Device Guard
2. Setup and test TEAP settings for your connection.  Make sure it works correctly and connects.
3. Export the LAN profile for your TEAP settings:
   - netsh lan export profile folder=c:\lan\profiles
4. Set the Device guard settings back to how they were before your changes
5. Delete the TEAP settings for your LAN adapter
6. Import the LAN XML profile and test to see if it works:
   - add profile filename="c:\lan\profiles\Profile1.xml" interface="Local Area Connection"

On an other note - I do not have Device Guard enabled on my machine.  I have never touched this setting before and I do not think that is something we have set to enable/disable anywhere.  My machine is running Windows 11 Pro 21H2.  
"Automatically use my Windows logon name and password.." is not grayed out for me.

Hi All,

I am trying to configure EAP-TEAP for Windows 11 machines and see that it does not allow me to select "Automatically use my Windows logon name and password.." option which is greyed out.  (see below).  Appreciate if someone can advise how to fix this. 

I found this (https://learn.microsoft.com/en-us/answers/questions/1036203/cant-configure-teap-settings-for-wired-connection) article but seems it just not a straight forward and also not sure this will have any security breach. 

Hi All,

I am trying to configure EAP-TEAP for Windows 11 machines and see that it does not allow me to select "Automatically use my Windows logon name and password.." option which is greyed out.  (see below).  Appreciate if someone can advise how to fix this. 

I found this (https://learn.microsoft.com/en-us/answers/questions/1036203/cant-configure-teap-settings-for-wired-connection) article but seems it just not a straight forward and also not sure this will have any security breach. 

Please note that MSCHAPv2 is strongly deprecated, and EAP-TLS (client certificate authentication, also as inner methods for TEAP) is probably the only way to go.

The link discusses credential guard, as also mentioned in the other response, which I think it the reason the 'Use my Windows login' is greyed out. Be prepared that future versions of Windows may make it even harder to use legacy/insecure authentication like MSCHAPv2.

Hi All,

I am trying to configure EAP-TEAP for Windows 11 machines and see that it does not allow me to select "Automatically use my Windows logon name and password.." option which is greyed out.  (see below).  Appreciate if someone can advise how to fix this. 

I found this (https://learn.microsoft.com/en-us/answers/questions/1036203/cant-configure-teap-settings-for-wired-connection) article but seems it just not a straight forward and also not sure this will have any security breach. 

Hi Herman,

Thanks for your advise/comments on this, I too with you and always trying to use EAP-TLS whenever possible.. but sometime if a machine is shared between group of users, not sure TEAP method two (Secondary Auth) will work with EAP-TLS as well..?

Please note that MSCHAPv2 is strongly deprecated, and EAP-TLS (client certificate authentication, also as inner methods for TEAP) is probably the only way to go.

The link discusses credential guard, as also mentioned in the other response, which I think it the reason the 'Use my Windows login' is greyed out. Be prepared that future versions of Windows may make it even harder to use legacy/insecure authentication like MSCHAPv2.

Hi All,

I am trying to configure EAP-TEAP for Windows 11 machines and see that it does not allow me to select "Automatically use my Windows logon name and password.." option which is greyed out.  (see below).  Appreciate if someone can advise how to fix this. 

I found this (https://learn.microsoft.com/en-us/answers/questions/1036203/cant-configure-teap-settings-for-wired-connection) article but seems it just not a straight forward and also not sure this will have any security breach.