EAP-TLS Fall back

henokk60 · ‎09-01-2025

Hi All,

We plan to migrate ISE Authentication from PEAP to EAP‑TLS and want the transition to be as smooth as possible. I would like to know if it is feasible to configure EAP‑TLS as the primary authentication method with PEAP as a fallback, and if so, how this can be implemented?

Thanks

shana598brush · ‎09-01-2025

@henokk60 wrote:
Hi All,
We plan to migrate ISE Authentication from PEAP to EAP‑TLS and want the transition to be as smooth as possible. I would like to know if it is feasible to configure EAP‑TLS as the primary authentication method with PEAP as a fallback, and if so, how this can be implemented?
Thanks

Yes, it's feasible using multiple authentication policies in Cisco ISE. You can configure EAP-TLS as the primary method and set a secondary policy for PEAP fallback. Ensure your Allowed Protocols list includes both methods, and use identity source sequences to prioritize certificate-based auth while allowing AD fallback for PEAP.

Best Regards,
Shana Brush

hhaexchange+

MHM Cisco World · ‎09-01-2025

Can I see ISE policy of PEAP?

MHM

MHM Cisco World · ‎09-01-2025

PEAP have two inner authc

One is MSCHAPv3 and other is EAP-TLS

You can only enable eap-tls under peap in allow protocol and do some change in authc policy

This make both user (peap mschapv3 and peap eap-tls) to authc

MHM

Rob Ingram · ‎09-01-2025

@henokk60 the native windows supplicant doesn't support fallover, Cisco NAM should if you have multiple profiles and define an order. If your supplicant doesn't support fallover then you'd have to rely on MAB for fallback.

Cisco ISE will authenticate using any protocol offered by the client as long as it's defined in the allowed protocols list.

In an ISE deployment typically you deploy Monitor Mode first, which still permits network access if authentication fails. During this phase you monitor the authentication lgos and rectify any authentication issues for devices failing to authenticate, only then do you proceed to low-impact or closed mode.