Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
246
Views
4
Helpful
2
Replies

Configuring EAP-Chaining with EAP-TLS

henokk60
Level 1
Level 1

‎09-08-2025 04:52 AM

 

Hi All,

We are working on configuring EAP Chaining for both machine and user authentication. Based on Cisco's documentation, EAP Chaining allows both the user and machine to be authenticated in a single session. I'm exploring two methods for this: EAP-FAST and TEAP, both of which support an inner method of EAP-TLS. To help me move forward, I'd like to compare these two options based on the following:

  • Ease of deployment

  • Security

Any insights or recommendations you have would be greatly appreciated.

Best Regards,

0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎09-08-2025 04:57 AM

@henokk60 EAP-FAST requires Cisco NAM licenses, there is additional overhead in deploying the client software and management, there is also the cost involved to purchase the NAM licenses.

TEAP uses the windows native supplicant, so no additional cost. TEAP can be centrally managed using AD GPOs.

EAP Chaining (EAP-FAST or TEAP) both can use EAP-TLS and provide more security, by combining the user and machine authentications, this ensures a user is connecting from a corporate owned asset that has been authenticated.

Ben Walters
Level 4
Level 4

‎09-10-2025 11:52 AM

Beyond what Rob mentioned, if you are using the windows native supplicant for TEAP you must use EAP-TLS with user and machine certificates unless you disable credential guard in Win 11. This is a limiting factor for some environments, you can disable credential guard but it is a recommended security feature. 

If you have the means to use certificate based auth it seems to work extremely well from a security and end user standpoint.  

Customers Also Viewed These Support Documents