dc auth-methods

Synopsis

netapi ise dc auth-methods [OPTIONS]

Description

Get authentication method distribution - see breakdown of EAP-TLS, PEAP, MAB, etc. Essential for security posture assessment and migration planning.

Options

Option Default Description

Option	Default	Description
`--hours`, `-h`	`24`	Hours to look back

--hours, -h

24

Hours to look back

Usage

# Last 24 hours
netapi ise dc auth-methods

# Last week
netapi ise dc auth-methods --hours 168

# JSON for processing
netapi ise dc --format json auth-methods

Sample Output

           Auth Methods (last 24h)
┏━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━┓
┃ Method                 ┃ Count ┃ Passed ┃ Failed ┃ Success % ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━┩
│ EAP-TLS                │   847 │    845 │      2 │ 99.8%     │
│ PEAP(EAP-MSCHAPv2)     │   234 │    220 │     14 │ 94.0%     │
│ MAB                    │   156 │    140 │     16 │ 89.7%     │
│ EAP-FAST               │    45 │     45 │      0 │ 100.0%    │
│ PAP                    │    12 │     10 │      2 │ 83.3%     │
└────────────────────────┴───────┴────────┴────────┴───────────┘

Authentication Methods

Method Description

Method	Description
`EAP-TLS`	Certificate-based - strongest security, no passwords
`PEAP(EAP-MSCHAPv2)`	Username/password in TLS tunnel
`EAP-FAST`	Cisco proprietary, faster than PEAP
`MAB`	MAC Authentication Bypass - no credentials, uses MAC address
`PAP`	Clear text password - only for legacy/VPN

EAP-TLS

Certificate-based - strongest security, no passwords

PEAP(EAP-MSCHAPv2)

Username/password in TLS tunnel

EAP-FAST

Cisco proprietary, faster than PEAP

MAB

MAC Authentication Bypass - no credentials, uses MAC address

PAP

Clear text password - only for legacy/VPN

Use Cases

Security Posture Assessment

#!/bin/bash
# Calculate certificate vs password auth ratio

DATA=$(netapi ise dc --format json auth-methods --hours 168)

CERT=$(echo "$DATA" | jq '[.[] | select(.auth_method | test("TLS|TEAP")) | .count] | add // 0')
PASS=$(echo "$DATA" | jq '[.[] | select(.auth_method | test("PEAP|CHAP|PAP")) | .count] | add // 0')
MAB=$(echo "$DATA" | jq '[.[] | select(.auth_method | test("MAB|mab")) | .count] | add // 0')

echo "Certificate-based: $CERT"
echo "Password-based: $PASS"
echo "MAC-based (MAB): $MAB"

TOTAL=$((CERT + PASS + MAB))
if [[ $TOTAL -gt 0 ]]; then
  echo "Certificate ratio: $((CERT * 100 / TOTAL))%"
fi

Migration Tracking

# Track migration from PEAP to EAP-TLS over time
echo "=== This Week ==="
netapi ise dc auth-methods --hours 168

echo "=== Last Month ==="
# Would need raw query for older data
netapi ise dc query "
SELECT
  AUTHENTICATION_METHOD,
  COUNT(*) as count
FROM RADIUS_AUTHENTICATION
WHERE TIMESTAMP_TZ BETWEEN SYSDATE - 30 AND SYSDATE - 7
GROUP BY AUTHENTICATION_METHOD
ORDER BY count DESC
"

Identify Problem Methods

# Which methods have high failure rates?
netapi ise dc --format json auth-methods | jq '
  .[] | select(.success_pct < 90) |
  "\(.auth_method): \(.success_pct)% success (\(.failed) failures)"
' -r

Export for Reporting

# Weekly auth method report
netapi ise dc --format json auth-methods --hours 168 | jq -r '
  ["Method","Count","Passed","Failed","Success%"],
  (.[] | [.auth_method, .count, .passed, .failed, .success_pct]) | @csv
' > auth_methods_weekly.csv

Security Recommendations

Method	Security Level	Recommendation
EAP-TLS	High	Preferred - deploy certificates
EAP-TEAP	High	Good - supports cert + machine auth
PEAP	Medium	Acceptable - migrate to certs when possible
MAB	Low	Only for headless devices (printers, IoT)
PAP	Very Low	Avoid - legacy only

Method

Security Level

Recommendation

EAP-TLS

High

Preferred - deploy certificates

EAP-TEAP

High

Good - supports cert + machine auth

PEAP

Medium

Acceptable - migrate to certs when possible

MAB

Low

Only for headless devices (printers, IoT)

PAP

Very Low

Avoid - legacy only