Allowed Protocols

Synopsis

netapi ise get-allowed-protocols [OPTIONS]
netapi ise get-allowed-protocol NAME [OPTIONS]
netapi ise create-allowed-protocols NAME [OPTIONS]
netapi ise delete-allowed-protocols NAME [OPTIONS]

Description

Manage allowed protocols service configurations that define which EAP methods are permitted for network access authentication.

Commands

List All Protocols

netapi ise get-allowed-protocols
Sample Output
                        Allowed Protocols
┏━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Name                   ┃ ID                                   ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ Default Device Admin   │ 926901b0-8c01-11e6-996c-525400b48521 │
│ Default Network Access │ 92613980-8c01-11e6-996c-525400b48521 │
│ Domus_HOST_ONLY        │ 620e98c0-0ba1-11f1-a83f-b2b8fc7b7272 │
│ Domus_TEAP_TLS_TTLS    │ 64319fd0-0ba1-11f1-a83f-b2b8fc7b7272 │
└────────────────────────┴──────────────────────────────────────┘

Get Protocol Details

netapi ise get-allowed-protocol "Default Network Access"
Sample Output (JSON format)
{
  "name": "Default Network Access",
  "allowEapTls": true,
  "allowEapTtls": true,
  "allowTeap": true,
  "allowPeap": true,
  "allowEapFast": true,
  "eapTls": {
    "allowEapTlsAuthOfExpiredCerts": false,
    "eapTlsEnableStatelessSessionResume": true
  },
  "teap": {
    "allowTeapEapTls": true,
    "allowTeapEapMsChapV2": true,
    "enableEapChaining": false
  }
}

Create Allowed Protocols

netapi ise create-allowed-protocols NAME [OPTIONS]
Table 1. Options
Option Description

--eap-tls / --no-eap-tls

Enable/disable EAP-TLS (certificate authentication)

--eap-ttls / --no-eap-ttls

Enable/disable EAP-TTLS (tunneled TLS)

--eap-teap / --no-eap-teap

Enable/disable EAP-TEAP (tunnel EAP, supports chaining)

--eap-fast / --no-eap-fast

Enable/disable EAP-FAST (Cisco proprietary)

--peap / --no-peap

Enable/disable PEAP (protected EAP)

--host-lookup / --no-host-lookup

Enable/disable host lookup processing

--teap-chaining / --no-teap-chaining

Enable/disable TEAP EAP chaining

-d, --description

Description for the protocol service
Examples
# Zero-trust (EAP-TLS only)
netapi ise create-allowed-protocols "Domus_HOST_ONLY" \
  --eap-tls \
  -d "EAP-TLS only - zero trust machine authentication"

# TEAP + TLS + TTLS (user + machine chaining)
netapi ise create-allowed-protocols "Domus_TEAP_TLS_TTLS" \
  --eap-tls \
  --eap-ttls \
  --eap-teap \
  -d "TEAP/TLS/TTLS - user and machine chaining"

# Full EAP support (legacy transition)
netapi ise create-allowed-protocols "Legacy_Full_EAP" \
  --eap-tls \
  --eap-ttls \
  --eap-teap \
  --eap-fast \
  --peap \
  -d "All EAP methods enabled"
Sample Output
✓ Created allowed protocols: Domus_HOST_ONLY
ID: 620e98c0-0ba1-11f1-a83f-b2b8fc7b7272
Enabled methods: EAP-TLS

Delete Allowed Protocols

netapi ise delete-allowed-protocols NAME [OPTIONS]
Table 2. Options
Option Description

-f, --force

Skip confirmation prompt
Example
# Delete with confirmation
netapi ise delete-allowed-protocols "Test_Protocol"

# Delete without confirmation
netapi ise delete-allowed-protocols "Test_Protocol" --force

EAP Methods Reference

Method Description Security Use Case

EAP-TLS

Certificate-based mutual authentication

Highest

Zero-trust, machine authentication

EAP-TTLS

Username/password in TLS tunnel

Medium-High

User authentication with server cert

TEAP

Tunnel EAP (RFC 7170), supports chaining

High

User + machine combined auth

PEAP

Protected EAP (MSCHAPv2 in tunnel)

Medium

Legacy Windows environments

EAP-FAST

Cisco proprietary (PAC-based)

Medium

Legacy Cisco environments

MAB

MAC Authentication Bypass

Low

Printers, IoT, onboarding

Policy Set Recommendations

Policy Set Allowed Protocols Use Case

Domus_MAB

Default Network Access

Printers, IoT, onboarding

Domus_HOST_ONLY

Domus_HOST_ONLY (EAP-TLS)

Linux/Windows machine cert auth

Domus_TEAP_TLS_TTLS

Domus_TEAP_TLS_TTLS

User + machine chaining

Related Commands