CHG-2026-02-24: TEAP Implementation
Change Summary
Change ID |
CHG-2026-02-24-TEAP |
Date |
2026-02-24 |
Classification |
Normal Change |
Risk Level |
Medium |
Status |
Pending |
Business Justification
TEAP (Tunnel Extensible Authentication Protocol) provides:
-
EAP chaining - machine + user auth in single session
-
Stronger security than PEAP
-
Better Windows integration
-
Reduced authentication round-trips
Current State
dsource d000 dev/network
netapi ise ers allowed-protocols listTarget State
-
New Allowed Protocols policy:
TEAP-EAP-TLS -
TEAP enabled with EAP-TLS as inner method
-
Existing EAP-TLS policy unchanged (fallback)
Implementation Plan
Phase 1: Create Allowed Protocols Policy
netapi ise ers allowed-protocols create \
--name "TEAP-EAP-TLS" \
--description "TEAP with EAP-TLS inner method" \
--teap-enabled \
--teap-eap-tls \
--eap-tls-enabledPhase 2: Create Test Authentication Rule
netapi ise openapi auth-rule create \
--policy-set "Test_802.1X" \
--name "TEAP-Test-Rule" \
--condition "Device:DeviceType EQUALS Linux" \
--allowed-protocols "TEAP-EAP-TLS" \
--identity-source "Internal Users"Phase 3: Test with Single Endpoint
MAC="14:F6:D8:7B:31:80"
# Force re-authentication
netapi ise mnt coa --mac $MAC --action reauth
# Monitor authentication
netapi ise mnt sessions --mac $MACExpected result:
Authentication Method: TEAP Inner Method: EAP-TLS Status: PASS
Phase 4: Validate via DataConnect
netapi ise dc query "
SELECT USERNAME, AUTHENTICATION_METHOD, SELECTED_AUTHORIZATION_PROFILES
FROM RADIUS_AUTHENTICATIONS
WHERE MAC_ADDRESS = '$MAC'
AND TIMESTAMP_TIMEZONE > SYSDATE - INTERVAL '1' HOUR
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 5 ROWS ONLY
"Phase 5: Production Rollout
netapi ise openapi auth-rule create \
--policy-set "Wired_802.1X_Closed" \
--name "TEAP-Linux-Workstations" \
--condition "IdentityGroup:Name EQUALS Linux-Workstations" \
--allowed-protocols "TEAP-EAP-TLS" \
--identity-source "Internal Users"Backout Plan
Immediate Rollback (< 5 min)
# Disable TEAP rule
netapi ise openapi auth-rule update \
--policy-set "Wired_802.1X_Closed" \
--name "TEAP-Linux-Workstations" \
--state disabled
# Force re-auth to fall back to EAP-TLS
netapi ise mnt coa --mac $MAC --action reauthFull Rollback
# Delete TEAP rule
netapi ise openapi auth-rule delete \
--policy-set "Wired_802.1X_Closed" \
--name "TEAP-Linux-Workstations"
# Delete allowed protocols policy
netapi ise ers allowed-protocols delete --name "TEAP-EAP-TLS"Risk Assessment
| Risk | Likelihood | Mitigation |
|---|---|---|
Authentication failures |
Medium |
Test with single endpoint first, keep EAP-TLS fallback |
Client incompatibility |
Low |
Linux wpa_supplicant supports TEAP since v2.10 |
ISE performance impact |
Low |
TEAP reduces round-trips vs PEAP |
CLI Mastery: ISE Policy Commands
List Allowed Protocols
netapi ise ers allowed-protocols list | jq -r '.resources[] | "\(.name): \(.id)"'Get Protocol Details
netapi ise ers allowed-protocols get --name "TEAP-EAP-TLS" | jq '.AllowedProtocols'Authentication Live Monitoring
# Watch authentications in real-time
watch -n 5 'netapi ise mnt sessions --mac 14:F6:D8:7B:31:80'DataConnect Auth Analytics
# Auth method distribution
netapi ise dc query "
SELECT AUTHENTICATION_METHOD, COUNT(*) as CNT
FROM RADIUS_AUTHENTICATIONS
WHERE TIMESTAMP_TIMEZONE > SYSDATE - INTERVAL '24' HOUR
GROUP BY AUTHENTICATION_METHOD
ORDER BY CNT DESC
"Key Lessons
| Topic | Lesson |
|---|---|
TEAP vs PEAP |
TEAP supports EAP chaining (machine + user), PEAP does not |
Fallback strategy |
Keep existing EAP-TLS policy as fallback during rollout |
wpa_supplicant version |
TEAP requires wpa_supplicant >= 2.10 |
netapi patterns |
Use |