Allowed Protocols

Synopsis

netapi ise get-allowed-protocols [OPTIONS]
netapi ise get-allowed-protocol NAME [OPTIONS]

Description

View allowed protocols service configurations that define which EAP methods are permitted.

Usage

# List all allowed protocols services
netapi ise get-allowed-protocols

# Get specific service details
netapi ise get-allowed-protocol "Default Network Access"

Sample Output

       Allowed Protocols Services
 name                      eap_tls   peap   eap_fast   teap
 Default Network Access    Yes       Yes    Yes        Yes
 MAB_Only                  No        No     No         No
 EAP-TLS_Only              Yes       No     No         No

Detailed output shows EAP method configurations:

{
  "name": "Default Network Access",
  "eapTls": {
    "allowEapTlsAuthOfExpiredCerts": false,
    "eapTlsEnableStatelessSessionResume": false
  },
  "teap": {
    "allowTeapEapTls": true,
    "allowTeapEapMsChapV2": true,
    "acceptClientCertDuringTunnelEst": true,
    "enableEapChaining": false
  },
  "peap": {
    "allowPeapEapMsChapV2": true,
    "allowPeapEapGtc": false
  }
}

EAP Methods

Method Description Security Level

EAP-TLS

Certificate-based

Highest (mutual auth)

PEAP

Password in TLS tunnel

Medium

EAP-FAST

Cisco proprietary

Medium

TEAP

Tunnel EAP (RFC 7170)

High (supports chaining)

MAB

MAC Authentication Bypass

Low (no auth)

Use Cases

Verify EAP-TLS Configuration

#!/bin/bash
# Check protocol service details
netapi ise get-allowed-protocol "Default Network Access"

# For detailed JSON, use the API directly:
curl -sk "https://${ISE_PAN_IP}:${ISE_PORT}/ers/config/allowedprotocols/name/Default%20Network%20Access" \
  -H "Authorization: Basic ${ISE_API_TOKEN}" \
  -H "Accept: application/json"

Audit Protocol Settings

#!/bin/bash
# List all protocol services
netapi ise get-allowed-protocols

# View specific service
netapi ise get-allowed-protocol "Default Network Access"
netapi ise get-allowed-protocol "MAB_Only"

Related Commands