https://community.cisco.com/t5/network-access-control/eap-tls-fall-back/m-p/5326054#M598008 <P>Hi All,</P><P>We plan to migrate ISE Authentication from PEAP to EAP‑TLS and want the transition to be as smooth as possible. I would like to know if it is feasible to configure EAP‑TLS as the primary authentication method with PEAP as a fallback, and if so, how this can be implemented?</P><P>Thanks</P> Mon, 01 Sep 2025 07:25:54 GMT henokk60 2025-09-01T07:25:54Z https://community.cisco.com/t5/network-access-control/eap-tls-fall-back/m-p/5326054#M598008 <P>Hi All,</P><P>We plan to migrate ISE Authentication from PEAP to EAP‑TLS and want the transition to be as smooth as possible. I would like to know if it is feasible to configure EAP‑TLS as the primary authentication method with PEAP as a fallback, and if so, how this can be implemented?</P><P>Thanks</P> Mon, 01 Sep 2025 07:25:54 GMT https://community.cisco.com/t5/network-access-control/eap-tls-fall-back/m-p/5326054#M598008 henokk60 2025-09-01T07:25:54Z https://community.cisco.com/t5/network-access-control/eap-tls-fall-back/m-p/5326063#M598009 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1753581">@henokk60</a>&nbsp;wrote:<BR /><P>Hi All,</P><P>We plan to migrate ISE Authentication from PEAP to EAP‑TLS and want the transition to be as smooth as possible. I would like to know if it is feasible to configure EAP‑TLS as the primary authentication method with PEAP as a fallback, and if so, how this can be implemented?</P><P>Thanks</P><HR /></BLOCKQUOTE><P>Yes, it's feasible using multiple authentication policies in Cisco ISE. You can configure EAP-TLS as the primary method and set a secondary policy for PEAP fallback. Ensure your Allowed Protocols list includes both methods, and use identity source sequences to prioritize certificate-based auth while allowing AD fallback for PEAP.<BR /><BR /><BR />Best Regards,<BR />Shana Brush</P> Mon, 01 Sep 2025 07:58:50 GMT https://community.cisco.com/t5/network-access-control/eap-tls-fall-back/m-p/5326063#M598009 shana598brush 2025-09-01T07:58:50Z https://community.cisco.com/t5/network-access-control/eap-tls-fall-back/m-p/5326150#M598010 <P>Can I see ISE policy of PEAP?</P> <P>MHM</P> Mon, 01 Sep 2025 11:45:36 GMT https://community.cisco.com/t5/network-access-control/eap-tls-fall-back/m-p/5326150#M598010 MHM Cisco World 2025-09-01T11:45:36Z https://community.cisco.com/t5/network-access-control/eap-tls-fall-back/m-p/5326213#M598013 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1753581">@henokk60</a>&nbsp; the native windows supplicant doesn't support fallover, Cisco NAM should if you have multiple profiles and define an order. If your supplicant doesn't support fallover then you'd have to rely on MAB for fallback.</P> <P>Cisco ISE will authenticate using any protocol offered by the client as long as it's defined in the allowed protocols list.</P> <P>In an ISE deployment typically you deploy Monitor Mode first, which still permits network access if authentication fails. During this phase you monitor the authentication lgos and rectify any authentication issues for devices failing to authenticate, only then do you proceed to low-impact or closed mode.</P> Mon, 01 Sep 2025 15:22:41 GMT https://community.cisco.com/t5/network-access-control/eap-tls-fall-back/m-p/5326213#M598013 Rob Ingram 2025-09-01T15:22:41Z https://community.cisco.com/t5/network-access-control/eap-tls-fall-back/m-p/5326266#M598014 <P>PEAP have two inner authc&nbsp;</P> <P>One is MSCHAPv3 and other is EAP-TLS&nbsp;</P> <P>You can only enable eap-tls under peap in allow protocol and do some change in authc policy&nbsp;</P> <P>This make both user (peap mschapv3 and peap eap-tls) to authc&nbsp;</P> <P>MHM</P> Tue, 02 Sep 2025 15:45:00 GMT https://community.cisco.com/t5/network-access-control/eap-tls-fall-back/m-p/5326266#M598014 MHM Cisco World 2025-09-02T15:45:00Z