topic Re: Cisco ISE - EAP-TLS and EAP-TEAP simultaneously run in Network Access Control

Cisco ISE - EAP-TLS and EAP-TEAP simultaneously run

mikiNet — Wed, 11 Feb 2026 09:23:01 GMT

Dear Team,

I have below Policy Set:

All RADIUS request is hiting the first policy even if I set supplicant to use TEAP. I know that problem is with hierarchy of this two policy. When I move second policy to the top, then TEAP working but TLS not.

Profile for "Allowed Protocols" is set as we see: I have two profile EAP-TLS which only allow TLS and second profile which allow only TEAP.

So for example If hierarchy is as on the screenshot and if supplicant is set to use TEAP, the request from NAD is hitting first rule because Condition is matching, but in Allowed Protocol profile TEAP is not allowed.

Is there any chance to distinguish this two Policy on the Condition to have working properly this policy?

I know that when I go inside policy, In authentication Tab I can use "Network Access-EapAuthentication" set to e.x. EAP-TLS but this not resolve my issue.

I want it to work on the main page. Any idea ?

Re: Cisco ISE - EAP-TLS and EAP-TEAP simultaneously run

thomas — Wed, 04 Mar 2026 22:09:36 GMT

ISE Policy Set conditions work top-down and the first match wins.

Both sets of conditions are working because your supplicant is probably configured to do both EAP-TLS or TEAP.

Typically we don't have separate Policy Sets for different EAP protocols - if the endpoint can do 802.1X with EAP, then you handle the EAP-based authentication in the Authentication Policy and the Authorization Policy will likely be the same regardless of the protocol:

If you want to separate at the EAP Authentication or EAP Tunnel Type, you must do this within a Policy Set - you will not have this option at the Policy Set level because the Allowed Protocols selection determines which protocols will be attempted by ISE for authentication.

Hopefully that helps answer your question to get you what you need.

Re: Cisco ISE - EAP-TLS and EAP-TEAP simultaneously run

ahollifield — Thu, 05 Mar 2026 13:21:29 GMT

Why bother having these be separate policy sets at all?