ALLOWED PROTOCOL CONFIGURATION IN CISCO ISE

poornakumar · ‎10-16-2024

Hi Team,

I have checked in one endpoint live log. I have seen that the authentication protocol is PAP-ASCII but while checking on allowed protocols i have seen this why allow eap ttls allow teap everything is checked and what is the use of PAP-ASCII also

ahollifield · ‎10-16-2024

Depends on your use-case. Do you need EAP-TTLS or not? Do you need TEAP or not? You 100% need to customize this to each individual policy set in your environment as needed.

ammahend · ‎10-16-2024

PAP is considered insecure form of authentication since username/password is sent in cleartext, for ISE usually Guest connections handled through a web authentication portal and may use PAP-ASCII , the communication is usually protected via HTTPS (SSL/TLS) encryption to ensure the security of the credentials during transmission.

for other protocols, its recommended to enable the ones you need based on kind of authentication you are using.

-hope this helps-

Aref Alsouqi · ‎10-17-2024

As mentioned by others the allowed protocol list should be matching what authentication protocols you are actually using in your environment. For instance if you are not using EAP-TTLS then you can deselect it. Same concept with any other protocol on that list. With regard to PAP, PAP is normally used with MAB, however, if PAP is listed under a secure protocol like with EAP-TTLS in the screenshot you shared, then PAP credentials in that case would be encrypted with the outer authentication protocol EAP-TTLS in this case.