Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
168
Views
4
Helpful
6
Replies

Allowed Protocol TEAP with preferred EAP Protocol TEAP - use case

MSJ1
Level 1
Level 1

‎12-01-2025 09:49 AM

Refer to below screenshot from allowed protocols - What's the difference between Preferred EAP Protocol between TEAP and EAP-TLS and when to use Preferred EAP Protocol between these 2 ( EAP-TLS and TEAP ) as preferred ?

MSJ1_0-1764611078299.png

 

0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎12-01-2025 10:10 AM

@MSJ1 when configured the Preferred EAP Protocol is the first protocol ISE will attempt to authenticate the client. If you leave Preferred EAP Protocol disabled, ISE will propose EAP-TLS when a client attempts to authenticate. If the client does not use EAP-TLS it will inform ISE what protocol it does support. Set the Preferred EAP Protocol to the protocol the clients are using.

Aref Alsouqi
VIP
VIP

‎12-03-2025 01:21 AM

As @Rob Ingram mentioned, the "Preferred EAP Protocol" is just a way to make ISE to request the selected protocol during the EAP negotiation with the endpoint. However, the "Allow TEAP" is just to make ISE accept the authentication negotiation over TEAP.

Cristian Matei
VIP Alumni
VIP Alumni

‎12-03-2025 05:29 AM

Hi,

   The "allow" checkbox is to allow or disallow ISE to use that specific EAP method for incoming authentication requests; if your supplicants uses that method, this checkbox must be enabled.

   The "preferred EAP" protocol is what ISE will propose as EAP method to the suplicant; however, since supplicants are already configured with the EAP method to be used and will signal it to ISE, this let's say feature doesn't really add value; moreover, based on the EAP method signaled by client, if you use this checkbox you may find yourself in the buggy situation where ISE reject the authentication request instead of failing over to whatever the supplicant has requested, assuming the supplicant required EAP method has been "allowed" through the previously discussed checkbox.

Thanks,

Cristian.

Karsten Iwen
VIP
VIP
In response to Cristian Matei

‎12-03-2025 06:20 AM

I wouldn't say "doesn't really add value". If we set it to the typically used EAP method, and it is not EAP-TLS, we save one round-trip time. It's not much, but why waste this when it is easy to configure.

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to Karsten Iwen

‎12-03-2025 06:59 AM

Hi,

Can you give one real and functional example where you actually save one round-trip time, with explanations? Not per what documentation is saying, but per what actually happens behind the scenes in the event chain.

Just to re-enforce my statement, depending on your actual EAP method being used and the value you set to preference, if these two are not identical, you could end up with authentication request being dropped instead of failing over to allowed methods.

Thanks,

Cristian.

0 Helpful

Karsten Iwen
VIP
VIP
In response to Cristian Matei

‎12-03-2025 08:33 AM

Yes, and I have it in captures. The customer has nearly all clients still with PEAP. Without setting this option, the ISE is sending the EAP Request as EAP-TLS, and the Supplicant first has to send a Legacy NAK before the ISE continues with PEAP:

KarstenIwen_0-1764779605596.jpeg

 

0 Helpful
Customers Also Viewed These Support Documents