topic Re: TEAP + PEAP <> Multiple domains in Network Access Control

TEAP + PEAP <> Multiple domains

Ryan2K — Wed, 04 Feb 2026 07:29:09 GMT

Hello,

I have a cisco ISE implementation for a customer, Once the ISE server connected to the AD it Showed two domains, Domain X and Domain Y.

Domain X has an internal CA with endpoints having User + machine certificate and they are willing to go with TEAP authentication.

Domain Y users want to go with PEAP as the current IT team do not have any visibly on Y domain controllers .

I do not want to have a separate SSIDs or something, is this feasible?

Appreciate your help.

Re: TEAP + PEAP <> Multiple domains

balaji.bandi — Wed, 04 Feb 2026 08:08:07 GMT

If technically that should work, I have not tested it; I have never come across this requirement, but it's good to know the outcome of this scenario.

As I understand it, SSID itself (Layer 2) does not care about the authentication method. Cisco ISE can differentiate between these two domains and their preferred protocols (TEAP vs. PEAP) within the Policy Set logic that needs to be applied to each one, I guess. and authorisation policy for each one to meet the requirement based on the domain.

Re: TEAP + PEAP <> Multiple domains

Cristian Matei — Wed, 04 Feb 2026 09:56:17 GMT

Hi,

@Ryan2K Yes, absolutely. From WiFi perspective, it's just EAP authentication which is redirected via RADIUS to ISE server, so WiFi infrastructure is completely agnostic to whatever happen at the authentication side, WLC only cares to receive via RADIUS an Access-Accept (successful authentication) alongside with possible authorisations to be applied, or an Access-Reject (failed authentication).

On ISE side, ensure the two domains are in a forest, or there's mutual trust in between, so that ISE can read the AD schema structure from both domains. After, you configure your authentication profiles to allow both PEAP and TEAP (or built separate ones, one for each method) and configure separate authorization profiles where on each one you must match on the EAP method (the inner method) so that you can apply different authorizations for TEAP vs. PEAP clients; if you don't perform any (not at all) specific or differentiated authorizations between TEAP and PEAP clients, you don't need separate authtoziation profiles.

Thanks,

Cristian.

Re: TEAP + PEAP <> Multiple domains

Ryan2K — Wed, 04 Feb 2026 18:17:11 GMT

Hello,

Thanks for replying balaji, I will look into it and keep you posted

Re: TEAP + PEAP <> Multiple domains

Ryan2K — Wed, 04 Feb 2026 18:41:59 GMT

Hello Cristian,

Thanks for the clear explanation regarding SSID.

So I guess need to create two rules. The first rule checks that the machine is authenticated but the user is not. The
second rule verifies that both the user and the machine are authenticated -- This for the domain X where I guess nothing needs to be additionally declared in the authorization policy.

As for other supplicants on Domain Y using PEAP with MSCHAP-v2 -- AD_Domain-ExternalGroups EQUALS AD_Domain/Users/Domain Users

Note that the AD_Domain is the active directory domain that I joined the ISE into , which is the same as Domain X , the domain controllers showing on the ISE dashboard are the ones for domain X.

but surprisingly (for me and the customer lol) the allowed domains tab showed two, I have not created the authorization polices yet , but when I tested a User@domainY.com through lookup option the ISE was able to fetch it from other domain controllers hosted on their sister company site (not listed on ISE dashboard) the company had VPN tunnel with.

As for Network Access Protoolcs both of TEAP - EAP chaining + PEAP - MSCHAP-v2 should be allowed with ease.

Will check and let you know of the outcome, appreciate your help and reply Cristian.

Regards,

Ryan.

Re: TEAP + PEAP <> Multiple domains

Cristian Matei — Wed, 04 Feb 2026 23:33:10 GMT

Hi,

@Ryan2K Here's a guide you use for TEAP:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

Here's a guide you can use for PEAP, although using older version of ISE / GUI, settings are still the same you'll figure it out:

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/201044-802-1x-authentication-with-PEAP-ISE-2-1.html

Be aware of the Microsoft Credential Guard preventing EAP-MSCHAPv2 to work if used with native Windows supplicant. In same following location you'll find a plethora of ISE related configuration guides:

https://community.cisco.com/t5/security-knowledge-base/ise-berg/ta-p/5041171

Thanks,

Cristian.