cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

194
Views
10
Helpful
2
Replies
Highlighted
Cisco Employee

ISE TACACS for PEAP

Customer is going from ACS to ISE for TACACS and asked the following:

"Just to be clear we use the tacacs for peap for our green wireless authentication.  Will this change anything ?"


any help much appreciated!

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: ISE TACACS for PEAP

The abstruse wording reminds me of something you'd see in a CCIE written exam ... it's outright confusing but somewhere in there is some meaning

You don't often see PEAP and TACACS in the same sentence.  I have not see a NAS vendor that supports TACACS as the protocol to transport the EAP messages to the authenticating server, if this is what the customer is referring to.  Otherwise please ask them to clarify what they mean.

What is green wireless authentication?  Some details might be useful here.

Bottom line is that ISE is perfectly capable of handling most EAP methods (like PEAP) .

Perhaps your customer is referring to the fact that the user credentials reside in a TACACS server somewhere and that the AAA needs to proxy the request to an external TACACS?  I have not tried it myself, but ISE can proxy TACACS requests - however it's not clear to me whether you can use an External TACACS server in a Radius authentication Policy, which is where you'd be starting off the PEAP processing.

2 REPLIES 2
VIP Engager

Re: ISE TACACS for PEAP

The abstruse wording reminds me of something you'd see in a CCIE written exam ... it's outright confusing but somewhere in there is some meaning

You don't often see PEAP and TACACS in the same sentence.  I have not see a NAS vendor that supports TACACS as the protocol to transport the EAP messages to the authenticating server, if this is what the customer is referring to.  Otherwise please ask them to clarify what they mean.

What is green wireless authentication?  Some details might be useful here.

Bottom line is that ISE is perfectly capable of handling most EAP methods (like PEAP) .

Perhaps your customer is referring to the fact that the user credentials reside in a TACACS server somewhere and that the AAA needs to proxy the request to an external TACACS?  I have not tried it myself, but ISE can proxy TACACS requests - however it's not clear to me whether you can use an External TACACS server in a Radius authentication Policy, which is where you'd be starting off the PEAP processing.

Cisco Employee

Re: ISE TACACS for PEAP

Arne is correct. The T+ in ISE supports the same set of protocols and proxy as ACS 5.x. PEAP is not a protocol for T+.

Why not evaluating ISE in a lab and test out all use cases?