https://community.cisco.com/t5/network-access-control/teap-rollout-default-profile-enforcement-issue/m-p/5354230#M599269 <P>Hi,</P> <DIV data-subtree="aimfl,mfl" data-processed="true">&nbsp;</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">&nbsp;When a user "forgets" a network, it removes the saved connection profile, and the next connection attempt can no longer use these settings and fallback to default settings or settings pushed through Group Policy Objects (GPOs) from Active Directory to re-establish the connection.</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">&nbsp;Three solution here:</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">1. ask users to not use "forget" option, which is prone to failure as users will forget not to use the "forget" option</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">2. use Local Windows Policies to set the configuration permanently use TEAP, via Local Group Policy Editor (<SPAN>gpedit.msc); not scalable option if you have to do this on multiple devices and not the bet way to do it if there are computers that are members of AD&nbsp;</SPAN>infrastructure; useful only for computers that are not AD members.</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">3. use AD level GPO's to push 802.1x settings with using TEAP</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">&nbsp;</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">Nothing you can do on ISE to address this challenge.</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">&nbsp;</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">Thanks,</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">Cristian.</DIV> <P><SPAN>. </SPAN></P> Thu, 11 Dec 2025 09:01:04 GMT Cristian Matei 2025-12-11T09:01:04Z https://community.cisco.com/t5/network-access-control/teap-rollout-default-profile-enforcement-issue/m-p/5354196#M599267 <P><SPAN>Hi All,</SPAN></P><P><SPAN>We have initiated the rollout of <STRONG>user authentication using TEAP</STRONG> (transitioning from PEAP). During testing, we observed the following issue&nbsp;</SPAN><SPAN>When a user clicks the </SPAN><STRONG>“Forget”</STRONG><SPAN> button on the Wi-Fi profile, the system reverts to </SPAN><STRONG>PEAP</STRONG><SPAN> as the default authentication method.&nbsp;</SPAN><SPAN>As a result, users are challenged to connect with PEAP instead of TEAP, which breaks the intended authentication flow.&nbsp;</SPAN><SPAN>What options are available to enforce </SPAN><STRONG>TEAP as the default profile</STRONG><SPAN> across all devices ?</SPAN></P><P><SPAN>Thanks</SPAN></P> Thu, 11 Dec 2025 07:28:27 GMT https://community.cisco.com/t5/network-access-control/teap-rollout-default-profile-enforcement-issue/m-p/5354196#M599267 henokk60 2025-12-11T07:28:27Z https://community.cisco.com/t5/network-access-control/teap-rollout-default-profile-enforcement-issue/m-p/5354197#M599268 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1753581">@henokk60</a>&nbsp;this is not really a Cisco (ISE) issue, but relates to how the devices are managed. Assuming these are Windows devices connected to Active Directory domain, then a Group Policy should be created and deployed to the devices with the correct authentication settings (TEAP), the users would then be unable to change the settings. Or if managed by MDM, then deploy a policy to do the same.</P> Thu, 11 Dec 2025 07:49:15 GMT https://community.cisco.com/t5/network-access-control/teap-rollout-default-profile-enforcement-issue/m-p/5354197#M599268 Rob Ingram 2025-12-11T07:49:15Z https://community.cisco.com/t5/network-access-control/teap-rollout-default-profile-enforcement-issue/m-p/5354230#M599269 <P>Hi,</P> <DIV data-subtree="aimfl,mfl" data-processed="true">&nbsp;</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">&nbsp;When a user "forgets" a network, it removes the saved connection profile, and the next connection attempt can no longer use these settings and fallback to default settings or settings pushed through Group Policy Objects (GPOs) from Active Directory to re-establish the connection.</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">&nbsp;Three solution here:</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">1. ask users to not use "forget" option, which is prone to failure as users will forget not to use the "forget" option</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">2. use Local Windows Policies to set the configuration permanently use TEAP, via Local Group Policy Editor (<SPAN>gpedit.msc); not scalable option if you have to do this on multiple devices and not the bet way to do it if there are computers that are members of AD&nbsp;</SPAN>infrastructure; useful only for computers that are not AD members.</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">3. use AD level GPO's to push 802.1x settings with using TEAP</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">&nbsp;</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">Nothing you can do on ISE to address this challenge.</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">&nbsp;</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">Thanks,</DIV> <DIV data-subtree="aimfl,mfl" data-processed="true">Cristian.</DIV> <P><SPAN>. </SPAN></P> Thu, 11 Dec 2025 09:01:04 GMT https://community.cisco.com/t5/network-access-control/teap-rollout-default-profile-enforcement-issue/m-p/5354230#M599269 Cristian Matei 2025-12-11T09:01:04Z