Authentication Methods
Overview
ISE supports multiple 802.1X authentication methods. This module covers configuration, migration strategies, and troubleshooting for:
-
EAP-TLS - Certificate-only authentication (most secure)
-
EAP-TEAP - Tunnel with certificate + password (BYOD-friendly)
-
MSCHAPv2 - Password-based (legacy, being deprecated)
Authentication Method Comparison
| Method | Security | User Experience | Complexity | Use Case |
|---|---|---|---|---|
EAP-TLS |
Highest |
Seamless (cert auto-selected) |
Medium |
Domain-joined devices |
EAP-TEAP |
High |
Good (cert + password fallback) |
High |
BYOD, mixed environments |
PEAP-MSCHAPv2 |
Medium |
Password prompt |
Low |
Legacy (deprecate) |
Recommended Architecture
┌─────────────────────────────────────────────────────────────┐
│ Authentication Flow │
├─────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Managed │ │ BYOD │ │ Legacy │ │
│ │ Devices │ │ Devices │ │ Devices │ │
│ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ EAP-TLS │ │ EAP-TEAP │ │ MSCHAPv2 │ │
│ │ (Cert Only) │ │ (Cert+Pass) │ │ (Password) │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │ │ │ │
│ └───────────────────┴───────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────┐ │
│ │ ISE │ │
│ │ Policy │ │
│ └──────────────┘ │
└─────────────────────────────────────────────────────────────┘Key Topics
Certificate Authority
All certificate-based authentication uses the DOMUS PKI:
DOMUS-ROOT-CA (Vault - offline)
└── DOMUS-ISSUING-CA (Vault pki_int - active)
├── Server certificates (ISE, Keycloak)
└── Client certificates (workstations)See Vault PKI Certificate Issuance (infra-ops) for certificate procedures.