cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ISE TACACS for PEAP

DanWeaver
Cisco Employee
Cisco Employee

Customer is going from ACS to ISE for TACACS and asked the following:

"Just to be clear we use the tacacs for peap for our green wireless authentication.  Will this change anything ?"


any help much appreciated!

1 ACCEPTED SOLUTION

Accepted Solutions

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

The abstruse wording reminds me of something you'd see in a CCIE written exam ... it's outright confusing but somewhere in there is some meaning

You don't often see PEAP and TACACS in the same sentence.  I have not see a NAS vendor that supports TACACS as the protocol to transport the EAP messages to the authenticating server, if this is what the customer is referring to.  Otherwise please ask them to clarify what they mean.

What is green wireless authentication?  Some details might be useful here.

Bottom line is that ISE is perfectly capable of handling most EAP methods (like PEAP) .

Perhaps your customer is referring to the fact that the user credentials reside in a TACACS server somewhere and that the AAA needs to proxy the request to an external TACACS?  I have not tried it myself, but ISE can proxy TACACS requests - however it's not clear to me whether you can use an External TACACS server in a Radius authentication Policy, which is where you'd be starting off the PEAP processing.

View solution in original post

2 REPLIES 2

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

The abstruse wording reminds me of something you'd see in a CCIE written exam ... it's outright confusing but somewhere in there is some meaning

You don't often see PEAP and TACACS in the same sentence.  I have not see a NAS vendor that supports TACACS as the protocol to transport the EAP messages to the authenticating server, if this is what the customer is referring to.  Otherwise please ask them to clarify what they mean.

What is green wireless authentication?  Some details might be useful here.

Bottom line is that ISE is perfectly capable of handling most EAP methods (like PEAP) .

Perhaps your customer is referring to the fact that the user credentials reside in a TACACS server somewhere and that the AAA needs to proxy the request to an external TACACS?  I have not tried it myself, but ISE can proxy TACACS requests - however it's not clear to me whether you can use an External TACACS server in a Radius authentication Policy, which is where you'd be starting off the PEAP processing.

hslai
Cisco Employee
Cisco Employee

Arne is correct. The T+ in ISE supports the same set of protocols and proxy as ACS 5.x. PEAP is not a protocol for T+.

Why not evaluating ISE in a lab and test out all use cases?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: