Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
104
Views
0
Helpful
0
Replies

TEAP (EAP-TLS) – Machine-Only Auth Result in Access Without User Cert

MSN_1
Level 1
Level 1

‎06-14-2025 01:23 PM - edited ‎06-14-2025 01:42 PM

We’re using TEAP with EAP-TLS and EAP-Chaining in our ISE deployment for wired network access. The configuration follows this Cisco document:
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

Our authorization policy is similar to the pic below.

MSN_1_0-1749931056104.png

The problem was that some users got network access without a valid user certificate. After checking, I found that machine certificate was present, but the valid user certificate was missing. Yet, the user still gained network access. Since TEAP failed user authentication but succeeded in machine authentication, ISE allowed access through the machine-only rule.

Before, we were using TEAP with MSCHAPv2, and with that setup, this issue never happen because of how the authentication process works.

I can tweak the machine-only authorization profile to limit access, but I’d like to know if anyone else has faced this and any suggestions on how to handle it?

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents