ISE TACACS for PEAP

DanWeaver — Thu, 27 Jul 2017 19:39:11 GMT

Customer is going from ACS to ISE for TACACS and asked the following:

"Just to be clear we use the tacacs for peap for our green wireless authentication. Will this change anything ?"

any help much appreciated!

Re: ISE TACACS for PEAP

Arne Bier — Thu, 27 Jul 2017 22:43:57 GMT

The abstruse wording reminds me of something you'd see in a CCIE written exam ... it's outright confusing but somewhere in there is some meaning

You don't often see PEAP and TACACS in the same sentence. I have not see a NAS vendor that supports TACACS as the protocol to transport the EAP messages to the authenticating server, if this is what the customer is referring to. Otherwise please ask them to clarify what they mean.

What is green wireless authentication? Some details might be useful here.

Bottom line is that ISE is perfectly capable of handling most EAP methods (like PEAP) .

Perhaps your customer is referring to the fact that the user credentials reside in a TACACS server somewhere and that the AAA needs to proxy the request to an external TACACS? I have not tried it myself, but ISE can proxy TACACS requests - however it's not clear to me whether you can use an External TACACS server in a Radius authentication Policy, which is where you'd be starting off the PEAP processing.

Re: ISE TACACS for PEAP

hslai — Fri, 28 Jul 2017 04:25:30 GMT

Arne is correct. The T+ in ISE supports the same set of protocols and proxy as ACS 5.x. PEAP is not a protocol for T+.

Why not evaluating ISE in a lab and test out all use cases?

topic Re: ISE TACACS for PEAP in Network Access Control

ISE TACACS for PEAP

Re: ISE TACACS for PEAP

Re: ISE TACACS for PEAP