Solved: TEAP (EAP-TLS) issue with user authentication

abdullaS · ‎08-11-2025

We configured EAP chaining for TEAP and enabled certificate-based authentication for both user and machine.

Below are some key points:

ISE 3.3p7
Win 11
TEAP and EAP chaining protocols are enabled
We followed this doc
Below is AuthZ policy set, and actions are permit all for both (for the sake of testing only)
Here is the live logs result
Here is the adapter auth settings
Correct root cert is selected in both auth methods
User and machine cert enrollment is also working fine

Issue: The machine gets successfully authenticated on wired connection and hit the correct policy but when the user log in, it hits the default ACCESS_REJECT policy.

Live logs results:

During machine auth =

EapChainingResult

User failed and machine succeeded

During user auth =

EapChainingResult

User succeeded and machine failed

We are not able to achieve User and machine succeeded result.

Any leads will be helpful!

abdullaS · ‎08-11-2025

Update:

This issue was resolved. There were some mismatch attributes in SAN of the user cert after making some changings the issue was resolved.

View solution in original post

JPavonM · ‎08-11-2025

Do you have such authorization policy for both suceeded?

abdullaS · ‎08-11-2025

Yes this one.. but i cannot see eap chain result of both succeeded in the live logs when user login

MHM Cisco World · ‎08-11-2025

only change the order of Authz
1- both success
2- user failed and machine success

this order is write in doc you share and this what I know how you config chain

MHM

abdullaS · ‎08-11-2025

Update:

This issue was resolved. There were some mismatch attributes in SAN of the user cert after making some changings the issue was resolved.