CHG-2026-02-24: TEAP Implementation — Risk & Comms

Risk Assessment

Risk	Likelihood	Mitigation
Authentication failures	Medium	Test with single endpoint first, keep EAP-TLS fallback
Client incompatibility	Low	Linux wpa_supplicant supports TEAP since v2.10
ISE performance impact	Low	TEAP reduces round-trips vs PEAP

Risk

Likelihood

Mitigation

Authentication failures

Medium

Test with single endpoint first, keep EAP-TLS fallback

Client incompatibility

Low

Linux wpa_supplicant supports TEAP since v2.10

ISE performance impact

Low

TEAP reduces round-trips vs PEAP

Topic Lesson

Topic	Lesson
TEAP vs PEAP	TEAP supports EAP chaining (machine + user), PEAP does not
Fallback strategy	Keep existing EAP-TLS policy as fallback during rollout
wpa_supplicant version	TEAP requires wpa_supplicant >= 2.10
netapi patterns	Use `netapi ise mnt coa` for instant re-auth during testing

TEAP vs PEAP

TEAP supports EAP chaining (machine + user), PEAP does not

Fallback strategy

Keep existing EAP-TLS policy as fallback during rollout

wpa_supplicant version

TEAP requires wpa_supplicant >= 2.10

netapi patterns

Use netapi ise mnt coa for instant re-auth during testing