topic Re: EAP‑TLS 802.1X Rollouts on Cisco ISE in Network Access Control

EAP‑TLS 802.1X Rollouts on Cisco ISE

henokk60 — Mon, 18 Aug 2025 09:12:21 GMT

Hi Mates,

We’re planning to roll out EAP‑TLS and I’d like to tap into your experience. What prior considerations, best practices, and potential issues or challenges — either before or after rollout — should we be aware of?

Thanks in advance for sharing your insights.

Best regards,

Re: EAP‑TLS 802.1X Rollouts on Cisco ISE

Rob Ingram — Mon, 18 Aug 2025 10:09:06 GMT

@henokk60 first of all, what authentication mode are you using? User or machine authentication or EAP Chaining (user and machine)?

Are you in open, monitor or closed mode?

You are going to have to pre-deloy the certificates via GPO, assuming you are in an AD environment?

If using user authentication via EAP-TLS and the user has never logged into the computer before, the user will not have the necessary certificate at the time of authentication, 802.1X authentication will fail, and network access will be denied until the certificate is properly enrolled and installed.

Re: EAP‑TLS 802.1X Rollouts on Cisco ISE

henokk60 — Mon, 18 Aug 2025 11:10:35 GMT

@Rob Ingram
Currently we operate in

Authentication is PEAP‑MSCHAPv2 - User Authentication only and Closed Mode.

To minimize disruption, and to roll out in a planned way with minimal interruption, what do you suggest to us?

Re: EAP‑TLS 802.1X Rollouts on Cisco ISE

Rob Ingram — Mon, 18 Aug 2025 11:18:32 GMT

@henokk60 deploy the user/machine certificates via GPO well in advance (a month or so) of changing to use EAP-TLS, this will allow all devices time to enroll for the certifcates and avoid any authentication issues when you migrate to EAP-TLS.

I'd recommend using EAP Chaining using TEAP with EAP-TLS to combine the user and machine authentications.

Re: EAP‑TLS 802.1X Rollouts on Cisco ISE

Arne Bier — Mon, 18 Aug 2025 20:53:17 GMT

@henokk60 you didn't mention whether wireless or wired deployment - there is quite a difference in how those get rolled out and the complexity involved. As @Rob Ingram suggested, the modern approach is EAP-TEAP and that only works in Windows environments. If you have a mixed environment with older Windows 10 (ha ha ... not for long ...) and other devices such as mobile devices, then your lowest common denominator is EAP-TLS - and it's not a wrong choice - EAP-TEAP for Windows is great because it solves the age old issue of EAP chaining in a standards way.

Of course you can have clients using EAP-TLS and EAP-TEAP on the same SSID or switch - RADIUS servers can handle many EAP methods - don't be tempted by EAP-PEAP (it's discouraged on Windows platforms and Microsoft is trying hard to prevent this from working - for good reasons). But PEAP will work on IOT device and such.

If 802.1X is new to you then start with a wireless SSID because setting up this stuff on wireless is much easier than on wired.

Once you are happy with the experience, start with a few switches in Monitor Mode (assuming you have Cisco switches) and observe the fun and games with MAB/802.1X interactions. Cisco has an excellent wired prescriptive guide that takes you on that journey.

Then move to Low Impact Mode once you know what devices are connecting to your switches, and you have prepared your RADIUS platform (hopefully ISE) for this to be smooth.

Re: EAP‑TLS 802.1X Rollouts on Cisco ISE

Jonatan Jonasson — Mon, 18 Aug 2025 22:24:31 GMT

The answers are going to differ based on if it's for wired or wireless.

But in general, and to add to the great points offered by Rob and Arne, try to consider different failure scenarios and try to test them.

And in general, try to avoid peap & mschapv2 if at all possible.

Re: EAP‑TLS 802.1X Rollouts on Cisco ISE

henokk60 — Tue, 19 Aug 2025 12:40:42 GMT

It is wireless deployment with cisco WLC

Re: EAP‑TLS 802.1X Rollouts on Cisco ISE

Arne Bier — Tue, 19 Aug 2025 22:29:13 GMT

Wireless is the best place to start with 802.1X.