Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
287
Views
2
Helpful
4
Replies

Policy set conditions for TEAP setup

abdullaS
Level 1
Level 1

‎09-24-2025 05:05 AM

Hello,

I am trying to configure TEAP (EAP-TLS) configuration. Everything is tested and working fine. Now i am planning roll it out to small group of users for testing before i roll it out to entire organization. I am trying to match the policy set condition to an attribute, so it only affect selected number of users. I am able to do this by using Radius·Calling-Station-ID Equals to *MAC-ADDRESS* and it is working as expected but i want to use an attribute other than mac address for example; username, PC name, protocol i.e. TEAP, user/AD group, SGT, etc... i tried to look for them in studio but couldn't find one... any leads how can i achieve this any other condition other then mac address.

0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎09-24-2025 05:14 AM - edited ‎09-24-2025 05:28 AM

@abdullaS typically if using EAP Chaining (TEAP) you'd use conditions Network Access EAP Chaining Result EQUALS User and Machine both succeeded or Network Access EAPChainingResult EQUALS User failed and Machine succeeded.

You can combine that with an AD group such as <Join Point Name> ExternalGroups EQUALS lab.local/Users/Domain Users - change the group name to match your internal group(s).

0 Helpful

abdullaS
Level 1
Level 1
In response to Rob Ingram

‎09-24-2025 06:41 AM

Hi Rob,

This is not available outside of the policy set, it is only available when you enter inside the policy set, for example in authentication and authorization policy studio you can find them but outside studio it is not available. Also, inside the policy set we have an attribute called Network Access·EapTunnel Equals TEAP, but again this attribute is not available outside of the policy set, if it will be available outside, it could resolve what i am trying to achieve. Do you know if somehow we can use this attribute outside of the policy set?

abdullaS_0-1758721193576.png

 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to abdullaS

‎09-24-2025 06:54 AM

@abdullaS not all conditions are available to be used at the policy set level. You'd configure those EAP Chaining/TEAP attributes in the authorisation rules.

Do you have a different policy set for a different set of users? Why not just match Wired/Wireless 802.1X  at the policy set level, then have multiple different authorisation rules and strict matching on conditons including EAP Chaining and the AD group of the test users, that would ensure no conflicts with the existing rules.

 

 

abdullaS
Level 1
Level 1
In response to Rob Ingram

‎09-25-2025 01:53 AM

Thanks for the hint Rob i got an idea how can i make it work now. i will test it and update if i face any other challenges.

0 Helpful
Customers Also Viewed These Support Documents