CHG-2026-02-24: TEAP Implementation

Change Summary

Field Value

Change ID

CHG-2026-02-24-TEAP

Classification

Normal Change (policy modification, requires testing)

Risk Level

Medium (affects authentication flow)

Requestor

evanusmodestus

Implementation Date

TBD

Backout Window

30 minutes

Business Justification

TEAP (Tunnel Extensible Authentication Protocol) provides:

  • EAP chaining (machine + user auth in single session)

  • Stronger security than PEAP

  • Better Windows integration

  • Reduced authentication round-trips

Current State

# Check current allowed protocols
dsource d000 dev/network
netapi ise ers allowed-protocols list

Target State

  • New Allowed Protocols policy: TEAP-EAP-TLS

  • TEAP enabled with EAP-TLS as inner method

  • Existing EAP-TLS policy unchanged (fallback)

Implementation Plan

Phase 1: Create Allowed Protocols Policy

# Create TEAP-enabled protocol policy
netapi ise ers allowed-protocols create \
  --name "TEAP-EAP-TLS" \
  --description "TEAP with EAP-TLS inner method" \
  --teap-enabled \
  --teap-eap-tls \
  --eap-tls-enabled
Verify
netapi ise ers allowed-protocols get --name "TEAP-EAP-TLS"

Phase 2: Create Test Authentication Rule

# Add rule to test policy set (NOT production)
netapi ise openapi auth-rule create \
  --policy-set "Test_802.1X" \
  --name "TEAP-Test-Rule" \
  --condition "Device:DeviceType EQUALS Linux" \
  --allowed-protocols "TEAP-EAP-TLS" \
  --identity-source "Internal Users"

Phase 3: Test with Single Endpoint

# Test endpoint (modestus-aw)
MAC="{ws-aw-wired-mac}"

# Force re-authentication
netapi ise mnt coa --mac $MAC --action reauth

# Monitor authentication
netapi ise mnt sessions --mac $MAC
Expected Result
Authentication Method: TEAP
Inner Method: EAP-TLS
Status: PASS

Phase 4: Validate via DataConnect

netapi ise dc query "
SELECT USERNAME, AUTHENTICATION_METHOD, SELECTED_AUTHORIZATION_PROFILES
FROM RADIUS_AUTHENTICATIONS
WHERE MAC_ADDRESS = '$MAC'
AND TIMESTAMP_TIMEZONE > SYSDATE - INTERVAL '1' HOUR
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 5 ROWS ONLY
"

Phase 5: Production Rollout

# Update production policy set
netapi ise openapi auth-rule create \
  --policy-set "Wired_802.1X_Closed" \
  --name "TEAP-Linux-Workstations" \
  --condition "IdentityGroup:Name EQUALS Linux-Workstations" \
  --allowed-protocols "TEAP-EAP-TLS" \
  --identity-source "Internal Users"

Backout Plan

Immediate Rollback (< 5 min)

# Disable TEAP rule
netapi ise openapi auth-rule update \
  --policy-set "Wired_802.1X_Closed" \
  --name "TEAP-Linux-Workstations" \
  --state disabled

# Force re-auth to fall back to EAP-TLS
netapi ise mnt coa --mac $MAC --action reauth

Full Rollback

# Delete TEAP rule
netapi ise openapi auth-rule delete \
  --policy-set "Wired_802.1X_Closed" \
  --name "TEAP-Linux-Workstations"

# Delete allowed protocols policy
netapi ise ers allowed-protocols delete --name "TEAP-EAP-TLS"

Risk Assessment

Risk Likelihood Mitigation

Authentication failures

Medium

Test with single endpoint first, keep EAP-TLS fallback

Client incompatibility

Low

Linux wpa_supplicant supports TEAP since v2.10

ISE performance impact

Low

TEAP reduces round-trips vs PEAP

Approval

Role Name Date

Requestor

evanusmodestus

2026-02-24

Implementer

evanusmodestus

Approver

Execution Log

Step Status Timestamp Notes

Phase 1: Create Allowed Protocols

PENDING

Phase 2: Create Test Rule

PENDING

Phase 3: Single Endpoint Test

PENDING

Phase 4: DataConnect Validation

PENDING

Phase 5: Production Rollout

PENDING