CHG-2026-02-24: TEAP Implementation — Implementation
Implementation Plan
Phase 1: Create Allowed Protocols Policy
netapi ise ers allowed-protocols create \
--name "TEAP-EAP-TLS" \
--description "TEAP with EAP-TLS inner method" \
--teap-enabled \
--teap-eap-tls \
--eap-tls-enabledPhase 2: Create Test Authentication Rule
netapi ise openapi auth-rule create \
--policy-set "Test_802.1X" \
--name "TEAP-Test-Rule" \
--condition "Device:DeviceType EQUALS Linux" \
--allowed-protocols "TEAP-EAP-TLS" \
--identity-source "Internal Users"Phase 3: Test with Single Endpoint
MAC="14:F6:D8:7B:31:80"
# Force re-authentication
netapi ise mnt coa --mac $MAC --action reauth
# Monitor authentication
netapi ise mnt sessions --mac $MACExpected result:
Authentication Method: TEAP Inner Method: EAP-TLS Status: PASS
Phase 4: Validate via DataConnect
netapi ise dc query "
SELECT USERNAME, AUTHENTICATION_METHOD, SELECTED_AUTHORIZATION_PROFILES
FROM RADIUS_AUTHENTICATIONS
WHERE MAC_ADDRESS = '$MAC'
AND TIMESTAMP_TIMEZONE > SYSDATE - INTERVAL '1' HOUR
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 5 ROWS ONLY
"Phase 5: Production Rollout
netapi ise openapi auth-rule create \
--policy-set "Wired_802.1X_Closed" \
--name "TEAP-Linux-Workstations" \
--condition "IdentityGroup:Name EQUALS Linux-Workstations" \
--allowed-protocols "TEAP-EAP-TLS" \
--identity-source "Internal Users"CLI Mastery: ISE Policy Commands
List Allowed Protocols
netapi ise ers allowed-protocols list | jq -r '.resources[] | "\(.name): \(.id)"'Get Protocol Details
netapi ise ers allowed-protocols get --name "TEAP-EAP-TLS" | jq '.AllowedProtocols'Authentication Live Monitoring
# Watch authentications in real-time
watch -n 5 'netapi ise mnt sessions --mac 14:F6:D8:7B:31:80'DataConnect Auth Analytics
# Auth method distribution
netapi ise dc query "
SELECT AUTHENTICATION_METHOD, COUNT(*) as CNT
FROM RADIUS_AUTHENTICATIONS
WHERE TIMESTAMP_TIMEZONE > SYSDATE - INTERVAL '24' HOUR
GROUP BY AUTHENTICATION_METHOD
ORDER BY CNT DESC
"