EAP‑TLS 802.1X Rollouts on Cisco ISE

henokk60 · ‎08-18-2025

Hi Mates,

We’re planning to roll out EAP‑TLS and I’d like to tap into your experience. What prior considerations, best practices, and potential issues or challenges — either before or after rollout — should we be aware of?

Thanks in advance for sharing your insights.

Best regards,

Rob Ingram · ‎08-18-2025

@henokk60 first of all, what authentication mode are you using? User or machine authentication or EAP Chaining (user and machine)?

Are you in open, monitor or closed mode?

You are going to have to pre-deloy the certificates via GPO, assuming you are in an AD environment?

If using user authentication via EAP-TLS and the user has never logged into the computer before, the user will not have the necessary certificate at the time of authentication, 802.1X authentication will fail, and network access will be denied until the certificate is properly enrolled and installed.

henokk60 · ‎08-18-2025

@Rob Ingram
Currently we operate in

Authentication is PEAP‑MSCHAPv2 - User Authentication only and Closed Mode.

To minimize disruption, and to roll out in a planned way with minimal interruption, what do you suggest to us?

Rob Ingram · ‎08-18-2025

@henokk60 deploy the user/machine certificates via GPO well in advance (a month or so) of changing to use EAP-TLS, this will allow all devices time to enroll for the certifcates and avoid any authentication issues when you migrate to EAP-TLS.

I'd recommend using EAP Chaining using TEAP with EAP-TLS to combine the user and machine authentications.

Arne Bier · ‎08-18-2025

@henokk60 you didn't mention whether wireless or wired deployment - there is quite a difference in how those get rolled out and the complexity involved. As @Rob Ingram suggested, the modern approach is EAP-TEAP and that only works in Windows environments. If you have a mixed environment with older Windows 10 (ha ha ... not for long ...) and other devices such as mobile devices, then your lowest common denominator is EAP-TLS - and it's not a wrong choice - EAP-TEAP for Windows is great because it solves the age old issue of EAP chaining in a standards way.

Of course you can have clients using EAP-TLS and EAP-TEAP on the same SSID or switch - RADIUS servers can handle many EAP methods - don't be tempted by EAP-PEAP (it's discouraged on Windows platforms and Microsoft is trying hard to prevent this from working - for good reasons). But PEAP will work on IOT device and such.

If 802.1X is new to you then start with a wireless SSID because setting up this stuff on wireless is much easier than on wired.

Once you are happy with the experience, start with a few switches in Monitor Mode (assuming you have Cisco switches) and observe the fun and games with MAB/802.1X interactions. Cisco has an excellent wired prescriptive guide that takes you on that journey.

Then move to Low Impact Mode once you know what devices are connecting to your switches, and you have prepared your RADIUS platform (hopefully ISE) for this to be smooth.

Jonatan Jonasson · ‎08-18-2025

The answers are going to differ based on if it's for wired or wireless.

But in general, and to add to the great points offered by Rob and Arne, try to consider different failure scenarios and try to test them.

And in general, try to avoid peap & mschapv2 if at all possible.

---
Please mark helpful answers & solutions
---

henokk60 · ‎08-19-2025

It is wireless deployment with cisco WLC

Arne Bier · ‎08-19-2025

Wireless is the best place to start with 802.1X.