TEAP Rollout – Default Profile Enforcement Issue

henokk60 · ‎12-10-2025

Hi All,

We have initiated the rollout of user authentication using TEAP (transitioning from PEAP). During testing, we observed the following issue When a user clicks the “Forget” button on the Wi-Fi profile, the system reverts to PEAP as the default authentication method. As a result, users are challenged to connect with PEAP instead of TEAP, which breaks the intended authentication flow. What options are available to enforce TEAP as the default profile across all devices ?

Thanks

Rob Ingram · ‎12-10-2025

@henokk60 this is not really a Cisco (ISE) issue, but relates to how the devices are managed. Assuming these are Windows devices connected to Active Directory domain, then a Group Policy should be created and deployed to the devices with the correct authentication settings (TEAP), the users would then be unable to change the settings. Or if managed by MDM, then deploy a policy to do the same.

Cristian Matei · ‎12-11-2025

Hi,

When a user "forgets" a network, it removes the saved connection profile, and the next connection attempt can no longer use these settings and fallback to default settings or settings pushed through Group Policy Objects (GPOs) from Active Directory to re-establish the connection.

Three solution here:

1. ask users to not use "forget" option, which is prone to failure as users will forget not to use the "forget" option

2. use Local Windows Policies to set the configuration permanently use TEAP, via Local Group Policy Editor (gpedit.msc); not scalable option if you have to do this on multiple devices and not the bet way to do it if there are computers that are members of AD infrastructure; useful only for computers that are not AD members.

3. use AD level GPO's to push 802.1x settings with using TEAP

Nothing you can do on ISE to address this challenge.

Thanks,

Cristian.

.