topic Re: EAP-TLS vs PEAP-EAP-TLS performance question in Network Access Control

EAP-TLS vs PEAP-EAP-TLS performance question

pabloayalas — Wed, 20 Aug 2025 18:25:59 GMT

Hello,

I have a question about performance when using EAP-TLS and PEAP-MSCHAPv2 versus PEAP-EAP-TLS. Referring to the Cisco link: https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html#reference_dfk_mjh_m5b, specifically table 5, which shows RADIUS transactions per second (TPS) for a dedicated PSN node, I notice that the appliances we have (3655) support the following:

PEAP (MSCHAPv2) with Active Directory - 200
EAP-TLS with Active Directory - 200

These are the maximum TPS supported by these appliances. However, what happens if I use PEAP-EAP-TLS? Will those numbers decrease, and if so, by how much?

Re: EAP-TLS vs PEAP-EAP-TLS performance question

MHM Cisco World — Wed, 20 Aug 2025 18:32:12 GMT

https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/access_registrar/9-3/reference/guide/reference/TPS.html

I think it also depends on license

MHM

Re: EAP-TLS vs PEAP-EAP-TLS performance question

Rob Ingram — Wed, 20 Aug 2025 18:33:11 GMT

@pabloayalas I've never come across any customer using PEAP-EAP-TLS, typically EAP-TLS is used and this may be why the cisco document does not have this information. I would imagine the performance would be worse using PEAP-EAP-TLS as there is more overhead (packets exchanged) as part of the process.

Re: EAP-TLS vs PEAP-EAP-TLS performance question

MHM Cisco World — Wed, 20 Aug 2025 18:50:22 GMT

by the way it TEAP EAP TLS not PEAP

MHM

Re: EAP-TLS vs PEAP-EAP-TLS performance question

Rob Ingram — Wed, 20 Aug 2025 19:04:23 GMT

Actually there is also PEAP-EAP-TLS as well as EAP-TLS. Using PEAP-EAP-TLS, first establishes an encrypted PEAP tunnel and then EAP-TLS is used for client/server authentication. EAP-TLS just skips the first step (the PEAP tunnel establishment) and securely authenticates the client/server certificates.

TEAP combines user and machine authentication, which uses EAP-TLS or PEAP/MSCHAPv2 authentication methods.

Re: EAP-TLS vs PEAP-EAP-TLS performance question

MHM Cisco World — Wed, 20 Aug 2025 19:09:52 GMT

I try to find PEAP as outer and inner EAP-TLS but I could not find any doc about it

MHM

Re: EAP-TLS vs PEAP-EAP-TLS performance question

Rob Ingram — Wed, 20 Aug 2025 19:19:20 GMT

Protected EAP (PEAP): Microsoft-defined EAP method that encapsulates EAP within a TLS tunnel. The TLS tunnel secures the inner EAP method, which could be unprotected otherwise. Windows supports EAP-TLS and EAP-MSCHAP v2 as inner methods.

EAP-Transport Layer Security (EAP-TLS): Standards-based EAP method that uses TLS with certificates for mutual authentication. Appears as Smart Card or other Certificate (EAP-TLS) in Windows. EAP-TLS can be deployed as an inner method for another EAP method or as a standalone EAP method.

https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/network-access?tabs=eap-tls%2Cserveruserprompt-eap-tls%2Ceap-sim

PEAP is the outer method, then the inner method could be either EAP-TLS or MSCHAPv2

Re: EAP-TLS vs PEAP-EAP-TLS performance question

MHM Cisco World — Wed, 20 Aug 2025 19:24:05 GMT

But that for Microsoft not ISE.

MHM

Re: EAP-TLS vs PEAP-EAP-TLS performance question

pabloayalas — Thu, 21 Aug 2025 01:49:56 GMT

@Rob Ingram you are correct. These are the steps from one of my computers:
Steps
Step ID Description Latency (ms)
11001 Received RADIUS Access-Request - company_AD
11017 RADIUS created a new session - host/computer 0
15049 Evaluating Policy Group - company.com 0
15008 Evaluating Service Selection Policy - from: host/computer to: host/computer.company.com 0
15048 Queried PIP - company.com 1
15048 Queried PIP - Radius.Called-Station-ID 0
11507 Extracted EAP-Response/Identity - company.com 0
12500 Prepared EAP-Request proposing EAP-TLS with challenge - company_AD 0
12625 Valid EAP-Key-Name attribute received - company.com 1
11006 Returned RADIUS Access-Challenge - company_AD 0
11001 Received RADIUS Access-Request - company_AD 3
11018 RADIUS is re-using an existing session 0
12301 Extracted EAP-Response/NAK requesting to use PEAP instead 0
12300 Prepared EAP-Request proposing PEAP with challenge 0
12625 Valid EAP-Key-Name attribute received 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 9
11018 RADIUS is re-using an existing session 0
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated 1
61025 Open secure connection with TLS peer 0
12318 Successfully negotiated PEAP version 0 0
12800 Extracted first TLS record; TLS handshake started 0
12805 Extracted TLS ClientHello message 1
12806 Prepared TLS ServerHello message 0
12807 Prepared TLS Certificate message 0
12808 Prepared TLS ServerKeyExchange message 9
12810 Prepared TLS ServerDone message 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 4
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 4
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 1
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 4
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 5
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 4
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 20
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12318 Successfully negotiated PEAP version 0 0
12810 Prepared TLS ServerDone message 0
12812 Extracted TLS ClientKeyExchange message 3
12803 Extracted TLS ChangeCipherSpec message 0
12804 Extracted TLS Finished message 0
12801 Prepared TLS ChangeCipherSpec message 1
12802 Prepared TLS Finished message 0
12816 TLS handshake succeeded 0
12310 PEAP full handshake finished successfully 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 23
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12313 PEAP inner method started 0
11521 Prepared EAP-Request/Identity for inner EAP method 0
12305 Prepared EAP-Request with another PEAP challenge 1
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 3
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
11522 Extracted EAP-Response/Identity for inner EAP method 0
12522 Prepared EAP-Request for inner method proposing EAP-TLS with challenge 0
12625 Valid EAP-Key-Name attribute received 1
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 14
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12524 Extracted EAP-Response containing EAP-TLS challenge-response for inner method and accepting EAP-TLS as negotiated 0
61025 Open secure connection with TLS peer 0
12800 Extracted first TLS record; TLS handshake started 1
12545 Client requested EAP-TLS session ticket 0
12546 The EAP-TLS session ticket received from supplicant. Inner EAP-TLS does not support stateless session resume. Performing full authentication 0
12805 Extracted TLS ClientHello message 0
12806 Prepared TLS ServerHello message 0
12807 Prepared TLS Certificate message 0
12808 Prepared TLS ServerKeyExchange message 7
12809 Prepared TLS CertificateRequest message 0
12810 Prepared TLS ServerDone message 0
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge 1
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 4
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12526 Extracted EAP-Response for inner method containing TLS challenge-response 0
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 1
11001 Received RADIUS Access-Request 3
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12526 Extracted EAP-Response for inner method containing TLS challenge-response 0
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge 1
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 16
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12526 Extracted EAP-Response for inner method containing TLS challenge-response 0
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 1
11001 Received RADIUS Access-Request 3
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12526 Extracted EAP-Response for inner method containing TLS challenge-response 1
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 4
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12526 Extracted EAP-Response for inner method containing TLS challenge-response 0
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge 0
12305 Prepared EAP-Request with another PEAP challenge 1
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 9
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12526 Extracted EAP-Response for inner method containing TLS challenge-response 0
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge 0
12305 Prepared EAP-Request with another PEAP challenge 1
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 5
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12526 Extracted EAP-Response for inner method containing TLS challenge-response 0
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge 0
12305 Prepared EAP-Request with another PEAP challenge 1
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 3
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12526 Extracted EAP-Response for inner method containing TLS challenge-response 1
12810 Prepared TLS ServerDone message 0
12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for computer 0
12571 ISE will continue to CRL verification if it is configured for specific CA - certificate for company CRL 8
12811 Extracted TLS Certificate message containing client certificate 1
12812 Extracted TLS ClientKeyExchange message 3
12813 Extracted TLS CertificateVerify message 0
12803 Extracted TLS ChangeCipherSpec message 0
12804 Extracted TLS Finished message 0
12801 Prepared TLS ChangeCipherSpec message 0
12802 Prepared TLS Finished message 0
12816 TLS handshake succeeded 0
12509 EAP-TLS full handshake finished successfully 1
12527 Prepared EAP-Request for inner method with another EAP-TLS challenge 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 8
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
12526 Extracted EAP-Response for inner method containing TLS challenge-response 0
15041 Evaluating Identity Policy 1
15048 Queried PIP - Network Access.EapAuthentication 0
15048 Queried PIP - CERTIFICATE.Issuer 0
15048 Queried PIP - CERTIFICATE.Issuer - Common Name 0
15048 Queried PIP - CERTIFICATE.Issuer - Organization 0
22070 Identity name is taken from certificate attribute 1
22037 Authentication Passed 0
12528 Inner EAP-TLS authentication succeeded 0
61026 Shutdown secure connection with TLS peer 0
11519 Prepared EAP-Success for inner EAP method 1
12314 PEAP inner method finished successfully 0
12305 Prepared EAP-Request with another PEAP challenge 0
11006 Returned RADIUS Access-Challenge 0
11001 Received RADIUS Access-Request 23
11018 RADIUS is re-using an existing session 0
12304 Extracted EAP-Response containing PEAP challenge-response 0
24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory 1
15036 Evaluating Authorization Policy 0
24209 Looking up Endpoint in Internal Endpoints IDStore - computer 0
24211 Found Endpoint in Internal Endpoints IDStore 2
15048 Queried PIP - Session.ANCPolicy 2
15048 Queried PIP - Session.ANCPolicy 1
15048 Queried PIP - Session.ANCPolicy 2
15048 Queried PIP - Radius.Called-Station-ID 0
24433 Looking up machine in Active Directory - computer
24325 Resolving identity
24313 Search for matching accounts at join point
24357 Incoming identity was rewritten
24319 Single matching account found in forest
24323 Identity resolution detected single matching account
24355 LDAP fetch succeeded
24435 Machine Groups retrieval from Active Directory succeeded
24355 LDAP fetch succeeded
24458 Not all Active Directory attributes are retrieved successfully
24100 Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes
15048 Queried PIP - company_AD.extensionAttribute1 6
15048 Queried PIP - DEVICE.Location 0
15016 Selected Authorization Profile - company_computer 0
22081 Max sessions policy passed 1
22080 New accounting session created in Session cache 0
12306 PEAP authentication succeeded 0
61026 Shutdown secure connection with TLS peer 1
11503 Prepared EAP-Success 0
11002 Returned RADIUS Access-Accept 1

Protocol Used

The authentication used PEAP (Protected Extensible Authentication Protocol) with an inner EAP-TLS method.
The logs show:
- Initial EAP-TLS proposal (12500 Prepared EAP-Request proposing EAP-TLS), but the client NAK'd and requested PEAP instead (12301 Extracted EAP-Response/NAK requesting to use PEAP instead).
- The outer tunnel is negotiated with PEAP (12318 Successfully negotiated PEAP version 0).
- Within PEAP, an inner EAP-TLS handshake occurs to authenticate the user/computer.

Step-by-Step Authentication Flow

Session Initiation
- ISE receives an initial RADIUS Access-Request (11001) from the network device carrying the EAP identity.
- A new session is created (11017).
Initial Protocol Negotiation
- ISE first proposes EAP-TLS (12500).
- The client rejects this and requests PEAP (12301).
- ISE responds by preparing a PEAP challenge (12300).
PEAP Tunnel Establishment (Outer TLS Tunnel)
- TLS handshake begins with ClientHello and ServerHello messages (12805, 12806).
- Server sends its certificate (12807), key exchange (12808), and finishes (12810).
- Handshake is completed (12816 TLS handshake succeeded).
- Outer tunnel established – traffic between client and ISE is now encrypted.
Inner EAP Method Negotiation
- Inside PEAP, ISE starts an inner EAP-TLS session (12522).
- TLS handshake for inner EAP-TLS begins (similar sequence as outer handshake).
- Client certificate is received (12811), verified via CRL if configured (12571).
- Inner TLS handshake succeeds (12509 EAP-TLS full handshake finished successfully).
Certificate-Based Authentication
- ISE extracts identity information from client certificate (22070 Identity name is taken from certificate attribute).
- Authentication passes (22037 Authentication Passed).
Authorization & Policy Evaluation
- ISE checks Active Directory for endpoint and machine group membership (24433, 24435).
- Authorization Profile is applied (15016 Selected Authorization Profile - company_computer).
Final Success
- PEAP inner method finishes successfully (12314).
- ISE sends EAP-Success (11503) and then a RADIUS Access-Accept (11002).

When I did this deployment, I was mainly thinking about security. Although PEAP and EAP-TLS have very high security, I wanted to hide the certificate exchange inside the PEAP tunnel. Everything has been working fine; however, I am somewhat concerned when we have many employees, as it could cause high CPU or memory usage on the PSN nodes.

Re: EAP-TLS vs PEAP-EAP-TLS performance question

Rob Ingram — Thu, 21 Aug 2025 06:58:01 GMT

@pabloayalas how many concurrent/total number of authenticated users? what is the size of the deployment (small, medium or large), how many PSNs do you have? do you have load balancers in front of the PSNs? are you using RADIUS over DTLS? If this is a production environment, are you actually experiencing any problems?

Re: EAP-TLS vs PEAP-EAP-TLS performance question

MHM Cisco World — Thu, 21 Aug 2025 09:38:59 GMT

Inner method allow eap-tls

So ISE support PEAP eap-tls

MHM