topic Re: EAP Chaining - cert check only in Network Access Control

EAP Chaining - cert check only

GRANT3779 — Wed, 08 Oct 2025 19:03:32 GMT

Hi CSC

Is it possible to do use TEAP / EAP Chaining within ISE when using only the certificates as a check? Basically, just check cert is trusted and no other checks are done. Can the user and machine cert be chained using just this check?

Re: EAP Chaining - cert check only

Rob Ingram — Wed, 08 Oct 2025 19:17:31 GMT

@GRANT3779 yes, you can just check the certificates are valid and use EAP Chaining. You don't need to perform additional checks, such as lookup to an external ID source (i.e., AD).

Re: EAP Chaining - cert check only

GRANT3779 — Wed, 08 Oct 2025 19:21:02 GMT

Thanks @Rob Ingram

I guess one last question would be around the authentication policy. For the "user not found" option would this need to be set to continue rather than reject (or whatever it says)?

Re: EAP Chaining - cert check only

Rob Ingram — Wed, 08 Oct 2025 19:29:39 GMT

@GRANT3779 I guess it depends on what you wish to achieve in that scenario? You could leave it as reject and have an authorisation rule "User failed and machine succeeded" and grant a level of access (restrict with DACL).