https://community.cisco.com/t5/network-access-control/configuring-eap-chaining-with-eap-tls/m-p/5328098#M598071 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1753581">@henokk60</a>&nbsp;EAP-FAST requires Cisco NAM licenses, there is additional overhead in deploying the client software and management, there is also the cost involved to purchase the NAM licenses.</P> <P>TEAP uses the windows native supplicant, so no additional cost. TEAP can be centrally managed using AD GPOs.</P> <P>EAP Chaining (EAP-FAST or TEAP) both can use EAP-TLS and provide more security, by combining the user and machine authentications, this ensures a user is connecting from a corporate owned asset that has been authenticated.</P> Mon, 08 Sep 2025 11:57:34 GMT Rob Ingram 2025-09-08T11:57:34Z https://community.cisco.com/t5/network-access-control/configuring-eap-chaining-with-eap-tls/m-p/5328096#M598070 <P>&nbsp;</P><P>Hi All,</P><P>We are working on configuring <STRONG>EAP Chaining</STRONG> for both machine and user authentication.&nbsp;Based on Cisco's documentation, EAP Chaining allows both the user and machine to be authenticated in a single session. I'm exploring two methods for this: <STRONG>EAP-FAST</STRONG> and <STRONG>TEAP</STRONG>, both of which support an inner method of <STRONG>EAP-TLS</STRONG>.&nbsp;To help me move forward, I'd like to compare these two options based on the following:</P><UL><LI><P><STRONG>Ease of deployment</STRONG></P></LI><LI><P><STRONG>Security</STRONG></P></LI></UL><P>Any insights or recommendations you have would be greatly appreciated.</P><P>Best Regards,</P> Mon, 08 Sep 2025 11:52:13 GMT https://community.cisco.com/t5/network-access-control/configuring-eap-chaining-with-eap-tls/m-p/5328096#M598070 henokk60 2025-09-08T11:52:13Z https://community.cisco.com/t5/network-access-control/configuring-eap-chaining-with-eap-tls/m-p/5328098#M598071 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1753581">@henokk60</a>&nbsp;EAP-FAST requires Cisco NAM licenses, there is additional overhead in deploying the client software and management, there is also the cost involved to purchase the NAM licenses.</P> <P>TEAP uses the windows native supplicant, so no additional cost. TEAP can be centrally managed using AD GPOs.</P> <P>EAP Chaining (EAP-FAST or TEAP) both can use EAP-TLS and provide more security, by combining the user and machine authentications, this ensures a user is connecting from a corporate owned asset that has been authenticated.</P> Mon, 08 Sep 2025 11:57:34 GMT https://community.cisco.com/t5/network-access-control/configuring-eap-chaining-with-eap-tls/m-p/5328098#M598071 Rob Ingram 2025-09-08T11:57:34Z https://community.cisco.com/t5/network-access-control/configuring-eap-chaining-with-eap-tls/m-p/5329071#M598091 <P>Beyond what Rob mentioned, if you are using the windows native supplicant for TEAP you must use EAP-TLS with user and machine certificates unless you disable credential guard in Win 11. This is a limiting factor for some environments, you can disable credential guard but it is a recommended security feature.&nbsp;</P><P>If you have the means to use certificate based auth it seems to work extremely well from a security and end user standpoint.&nbsp;&nbsp;</P> Wed, 10 Sep 2025 18:52:09 GMT https://community.cisco.com/t5/network-access-control/configuring-eap-chaining-with-eap-tls/m-p/5329071#M598091 Ben Walters 2025-09-10T18:52:09Z