EAP-TEAP Policy Design
Design Goals
-
Reward certificate-based auth with more access
-
Allow password fallback with limited access
-
Support transition period during migration
Policy Structure
Policy Set: Wired-TEAP
├── Authentication Policy
│ └── TEAP-Auth: Identity = AD + Certificate Lookup
├── Authorization Policy
│ ├── TEAP-Machine-Cert: Full Access
│ ├── TEAP-User-Cert: Full Access
│ ├── TEAP-Chained: Full Access
│ ├── TEAP-Password-Only: Limited Access
│ └── Default: DenyConditions
Certificate-Based
# Machine authenticated with cert
Network Access:EapTunnel EQUALS TEAP
AND Network Access:EapAuthentication EQUALS EAP-TLS
AND Network Access:EapChainingResult EQUALS Machine SucceededTransition Strategy
During MSCHAPv2 migration:
-
Week 1-4: Password fallback = Same access as cert
-
Week 5-8: Password fallback = Limited access + warning
-
Week 9+: Password fallback = Deny
See MSCHAPv2 Migration for phased approach.