Solved: Cisco ISE PEAP to TEAP Auth Policy Set

henokk60 · ‎11-10-2025

Hi Team,

We want to transition from PEAP authentication to TEAP authentication for wireless users, and since we're rolling it out department by department in a phased approach, I want to have both policies active. For example, on Monday, I will begin the rollout in the IT and HR departments, transitioning from PEAP to TEAP.

In the Authentication Policy section of the policy set, I have used Network Access - EAP Tunnel Equals TEAP, but this policy isn’t being hit when I place TEAP in the second order. When I make it first in the order, the PEAP policy stops being hit, even after I tried changing the order. What could be the reason for this?

Thanks,

henokk60 · ‎12-03-2025

Hi All,

I just merged both the TEAP and PEAP policy and both the condition and the Auth policy the same however in the Authrz rule I use an attribute "Network Access:EapTunnel EQUALS PEAP" for the PEAP and new Autz policy within the same policy ""Network Access:EapTunnel EQUALS TEAP""
Thanks,

View solution in original post

Rob Ingram · ‎11-11-2025

@henokk60 please provide a screenshot of your policy set and authentication policy and the live logs.

Aref Alsouqi · ‎11-11-2025

If placing the TEAP rule the second in order doesn't get hit it would suggest that the clients supplicants are not proeperly configured for TEAP, however, I'm confused because you mentioned if you place the TEAP rule above the PEAP rule doesn't get hit. This would suggest that the clients are configured properly for TEAP.

The way how I would deal with this would be leaving the authentication conditions without specifying the outer or the inner EAP method, I would just leave them with wired_802.1x and wireless_802.1x and then specify the EAP chaining conditions in the authroization rules to match the TEAP traffic.

Or, you could create a separate policy set for TEAP only. In that case you would need to use a separate allowed protocol profile where you only have TEAP enabled in it. That way, the dedicated policy set will only match TEAP traffic.

henokk60 · ‎11-11-2025

@Aref Alsouqi What I did is I create separate rule for TEAP only with separate allowed protocol profile TEAP enabled in it and inner methods EAP-TLS.

Aref Alsouqi · ‎11-11-2025

If you configured a separate policy set and enabled only TEAP in the allowed protocol then you don't have to specify the TEAP EAP tunnel in the authentication rule. Take a look at this doc please, is that what you've done?

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html#toc-hId--1057623478

henokk60 · ‎11-11-2025

Policy set is as below for TEAP
Conditions
Radius:Called-Station-ID:"SSID" AND
Wirless_802.1x
Allowed Protocol
TEAP
Auth Policy
Wireless_802.1x AND
NetworkAccess:EAPTunnel TEAP
Authorization Policy
AD:ExternalGroups: Equals IT,Sales,Finance
Network Access:EapChainingResult Equals User and machine both succeeded
Session:PostureStatus Equals Complaint,

andrewswanson · ‎11-11-2025

Hi. What options have you set for the authentication policies - see below

hth

Andy

Aref Alsouqi · ‎11-11-2025

Hi Andy,

Usually we set the "If User not found" option to continue to allow guest endpoints to "pass" authentication, but I don't think that is relevant here?

henokk60 · ‎11-13-2025

Hi Team,
is there an option to merge the TEAP and PEAP policies so they do not overlap?

Aref Alsouqi · ‎12-03-2025

If you separate the policies with the right conditions they won't overlap. However, if you want to consolidate all of them in one then you would need to create multiple conditions using the or operator where applicable.

henokk60 · ‎12-03-2025

Hi All,

I just merged both the TEAP and PEAP policy and both the condition and the Auth policy the same however in the Authrz rule I use an attribute "Network Access:EapTunnel EQUALS PEAP" for the PEAP and new Autz policy within the same policy ""Network Access:EapTunnel EQUALS TEAP""
Thanks,