https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346119#M598914 <P>Hi. What options have you set for the authentication policies - see below</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ise auth options.png" style="width: 236px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/255009iAA821486A5F096F9/image-size/large?v=v2&amp;px=999" role="button" title="ise auth options.png" alt="ise auth options.png" /></span></P><P>hth</P><P>Andy</P> Tue, 11 Nov 2025 13:44:15 GMT andrewswanson 2025-11-11T13:44:15Z https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346019#M598883 <P>Hi Team,</P><P>We want to transition from PEAP authentication to TEAP authentication for wireless users, and since we're rolling it out department by department in a phased approach, I want to have both policies active. For example, on Monday, I will begin the rollout in the IT and HR departments, transitioning from PEAP to TEAP.</P><P>In the Authentication Policy section of the policy set, I have used <STRONG>Network Access - EAP Tunnel Equals TEAP</STRONG>, but this policy isn’t being hit when I place TEAP in the second order. When I make it first in the order, the PEAP policy stops being hit, even after I tried changing the order. What could be the reason for this?</P><P>Thanks,</P> Tue, 11 Nov 2025 08:07:44 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346019#M598883 henokk60 2025-11-11T08:07:44Z https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346028#M598887 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1753581">@henokk60</a>&nbsp;please provide a screenshot of your policy set and authentication policy and the live logs.</P> Tue, 11 Nov 2025 08:12:11 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346028#M598887 Rob Ingram 2025-11-11T08:12:11Z https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346099#M598910 <P>If placing the TEAP rule the second in order doesn't get hit it would suggest that the clients supplicants are not proeperly configured for TEAP, however, I'm confused because you mentioned if you place the TEAP rule above the PEAP rule doesn't get hit. This would suggest that the clients are configured properly for TEAP.</P> <P>The way how I would deal with this would be leaving the authentication conditions without specifying the outer or the inner EAP method, I would just leave them with wired_802.1x and wireless_802.1x and then specify the EAP chaining conditions in the authroization rules to match the TEAP traffic.</P> <P>Or, you could create a separate policy set for TEAP only. In that case you would need to use a separate allowed protocol profile where you only have TEAP enabled in it. That way, the dedicated policy set will only match TEAP traffic.</P> Tue, 11 Nov 2025 12:55:41 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346099#M598910 Aref Alsouqi 2025-11-11T12:55:41Z https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346107#M598912 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/284594">@Aref Alsouqi</a>&nbsp;What I did is I create separate rule for TEAP only with separate&nbsp;<SPAN>allowed protocol profile TEAP enabled in it and inner methods EAP-TLS.&nbsp;</SPAN></P> Tue, 11 Nov 2025 13:18:21 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346107#M598912 henokk60 2025-11-11T13:18:21Z https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346108#M598913 <P>Policy set is as below for TEAP<BR /><STRONG>Conditions&nbsp;</STRONG><BR />Radius:Called-Station-ID:"SSID" AND<BR />Wirless_802.1x<BR /><STRONG>Allowed Protocol</STRONG><BR />TEAP<BR /><STRONG>Auth Policy</STRONG><BR />Wireless_802.1x AND<BR />NetworkAccess:EAPTunnel TEAP<BR /><STRONG>Authorization Policy</STRONG><BR />AD:ExternalGroups: Equals IT,Sales,Finance<BR />Network Access:EapChainingResult Equals User and machine both succeeded<BR />Session:PostureStatus Equals Complaint,&nbsp;</P> Tue, 11 Nov 2025 13:24:49 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346108#M598913 henokk60 2025-11-11T13:24:49Z https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346119#M598914 <P>Hi. What options have you set for the authentication policies - see below</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ise auth options.png" style="width: 236px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/255009iAA821486A5F096F9/image-size/large?v=v2&amp;px=999" role="button" title="ise auth options.png" alt="ise auth options.png" /></span></P><P>hth</P><P>Andy</P> Tue, 11 Nov 2025 13:44:15 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346119#M598914 andrewswanson 2025-11-11T13:44:15Z https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346123#M598915 <P>Hi Andy,</P> <P>Usually we set the "If User not found" option to continue to allow guest endpoints to "pass" authentication, but I don't think that is relevant here?</P> Tue, 11 Nov 2025 13:54:52 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346123#M598915 Aref Alsouqi 2025-11-11T13:54:52Z https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346124#M598916 <P>If you configured a separate policy set and enabled only TEAP in the allowed protocol then you don't have to specify the TEAP EAP tunnel in the authentication rule. Take a look at this doc please, is that what you've done?</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html#toc-hId--1057623478" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html#toc-hId--1057623478</A></P> <P>&nbsp;</P> Tue, 11 Nov 2025 13:56:07 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346124#M598916 Aref Alsouqi 2025-11-11T13:56:07Z https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346777#M598949 <P>Hi Team,<BR />is there an option to merge the TEAP and PEAP policies so they do not overlap?</P> Thu, 13 Nov 2025 08:11:15 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5346777#M598949 henokk60 2025-11-13T08:11:15Z https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5352046#M599199 <P>If you separate the policies with the right conditions they won't overlap. However, if you want to consolidate all of them in one then you would need to create multiple conditions using the or operator where applicable.</P> Wed, 03 Dec 2025 14:22:53 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5352046#M599199 Aref Alsouqi 2025-12-03T14:22:53Z https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5352260#M599210 <P>Hi All,</P><P>I just merged both the TEAP and PEAP policy and both the condition and the Auth policy the same however in the Authrz rule I use an attribute "Network Access:EapTunnel EQUALS PEAP" for the PEAP and new Autz policy within the same policy ""Network Access:EapTunnel EQUALS TEAP""<BR />Thanks,</P> Thu, 04 Dec 2025 07:47:04 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-peap-to-teap-auth-policy-set/m-p/5352260#M599210 henokk60 2025-12-04T07:47:04Z