topic Re: ALLOWED PROTOCOL CONFIGURATION IN CISCO ISE in Network Access Control

ALLOWED PROTOCOL CONFIGURATION IN CISCO ISE

poornakumar — Wed, 16 Oct 2024 18:05:56 GMT

Hi Team,

I have checked in one endpoint live log. I have seen that the authentication protocol is PAP-ASCII but while checking on allowed protocols i have seen this why allow eap ttls allow teap everything is checked and what is the use of PAP-ASCII also

Re: ALLOWED PROTOCOL CONFIGURATION IN CISCO ISE

ahollifield — Wed, 16 Oct 2024 20:28:55 GMT

Depends on your use-case. Do you need EAP-TTLS or not? Do you need TEAP or not? You 100% need to customize this to each individual policy set in your environment as needed.

Re: ALLOWED PROTOCOL CONFIGURATION IN CISCO ISE

Ambuj M — Thu, 17 Oct 2024 03:27:00 GMT

PAP is considered insecure form of authentication since username/password is sent in cleartext, for ISE usually Guest connections handled through a web authentication portal and may use PAP-ASCII , the communication is usually protected via HTTPS (SSL/TLS) encryption to ensure the security of the credentials during transmission.

for other protocols, its recommended to enable the ones you need based on kind of authentication you are using.

Re: ALLOWED PROTOCOL CONFIGURATION IN CISCO ISE

Aref Alsouqi — Thu, 17 Oct 2024 08:58:14 GMT

As mentioned by others the allowed protocol list should be matching what authentication protocols you are actually using in your environment. For instance if you are not using EAP-TTLS then you can deselect it. Same concept with any other protocol on that list. With regard to PAP, PAP is normally used with MAB, however, if PAP is listed under a secure protocol like with EAP-TTLS in the screenshot you shared, then PAP credentials in that case would be encrypted with the outer authentication protocol EAP-TTLS in this case.