EAP-TEAP ISE Configuration

Allowed Protocols

  1. Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols

  2. Enable EAP-TEAP:

    • Allow EAP-TEAP

    • Allow EAP-TLS as inner method

    • Allow EAP-MSCHAPv2 as inner method

EAP-TEAP Settings

Inner Methods

Configure allowed inner methods:

  • EAP-TLS - Certificate-based (preferred)

  • EAP-MSCHAPv2 - Password-based (fallback)

Chaining

Enable EAP chaining for machine + user auth:

EAP-TEAP Settings:
  - Enable EAP Chaining: Yes
  - Request inner methods for machine auth: Certificate
  - Request inner methods for user auth: Certificate or Password

Policy Set Configuration

Authentication Policy

Rule: EAP-TEAP-Auth
Condition: Network Access:EapTunnel EQUALS TEAP
Identity Source: AD with Certificate

Authorization Policy

Different authorization based on auth method:

Rule: TEAP-Cert-Only
Condition:
  Network Access:EapTunnel EQUALS TEAP
  AND Network Access:EapAuthentication EQUALS EAP-TLS
Result: Full_Access

Rule: TEAP-Password-Fallback
Condition:
  Network Access:EapTunnel EQUALS TEAP
  AND Network Access:EapAuthentication EQUALS EAP-MSCHAPv2
Result: Limited_Access

Verification

SELECT USERNAME, AUTHENTICATION_PROTOCOL, AUTHORIZATION_RULE
FROM RADIUS_AUTHENTICATIONS
WHERE EAP_TUNNEL = 'TEAP'
AND TIMESTAMP_TIMEZONE > SYSDATE - 1