topic Re: Allowed Protocol TEAP with preferred EAP Protocol TEAP - use case in Network Access Control

Allowed Protocol TEAP with preferred EAP Protocol TEAP - use case

MSJ1 — Mon, 01 Dec 2025 17:49:27 GMT

Refer to below screenshot from allowed protocols - What's the difference between Preferred EAP Protocol between TEAP and EAP-TLS and when to use Preferred EAP Protocol between these 2 ( EAP-TLS and TEAP ) as preferred ?

Re: Allowed Protocol TEAP with preferred EAP Protocol TEAP - use case

Rob Ingram — Mon, 01 Dec 2025 18:10:17 GMT

@MSJ1 when configured the Preferred EAP Protocol is the first protocol ISE will attempt to authenticate the client. If you leave Preferred EAP Protocol disabled, ISE will propose EAP-TLS when a client attempts to authenticate. If the client does not use EAP-TLS it will inform ISE what protocol it does support. Set the Preferred EAP Protocol to the protocol the clients are using.

Re: Allowed Protocol TEAP with preferred EAP Protocol TEAP - use case

Aref Alsouqi — Wed, 03 Dec 2025 09:21:05 GMT

As @Rob Ingram mentioned, the "Preferred EAP Protocol" is just a way to make ISE to request the selected protocol during the EAP negotiation with the endpoint. However, the "Allow TEAP" is just to make ISE accept the authentication negotiation over TEAP.

Re: Allowed Protocol TEAP with preferred EAP Protocol TEAP - use case

Cristian Matei — Wed, 03 Dec 2025 13:29:37 GMT

Hi,

The "allow" checkbox is to allow or disallow ISE to use that specific EAP method for incoming authentication requests; if your supplicants uses that method, this checkbox must be enabled.

The "preferred EAP" protocol is what ISE will propose as EAP method to the suplicant; however, since supplicants are already configured with the EAP method to be used and will signal it to ISE, this let's say feature doesn't really add value; moreover, based on the EAP method signaled by client, if you use this checkbox you may find yourself in the buggy situation where ISE reject the authentication request instead of failing over to whatever the supplicant has requested, assuming the supplicant required EAP method has been "allowed" through the previously discussed checkbox.

Thanks,

Cristian.

Re: Allowed Protocol TEAP with preferred EAP Protocol TEAP - use case

Karsten Iwen — Wed, 03 Dec 2025 14:20:46 GMT

I wouldn't say "doesn't really add value". If we set it to the typically used EAP method, and it is not EAP-TLS, we save one round-trip time. It's not much, but why waste this when it is easy to configure.

Re: Allowed Protocol TEAP with preferred EAP Protocol TEAP - use case

Cristian Matei — Wed, 03 Dec 2025 14:59:06 GMT

Hi,

Can you give one real and functional example where you actually save one round-trip time, with explanations? Not per what documentation is saying, but per what actually happens behind the scenes in the event chain.

Just to re-enforce my statement, depending on your actual EAP method being used and the value you set to preference, if these two are not identical, you could end up with authentication request being dropped instead of failing over to allowed methods.

Thanks,

Cristian.

Re: Allowed Protocol TEAP with preferred EAP Protocol TEAP - use case

Karsten Iwen — Wed, 03 Dec 2025 16:33:59 GMT

Yes, and I have it in captures. The customer has nearly all clients still with PEAP. Without setting this option, the ISE is sending the EAP Request as EAP-TLS, and the Supplicant first has to send a Legacy NAK before the ISE continues with PEAP: