Exploring the Benefits of Cisco ISE: EAP for Network Security

Cisco ISE: EAP (Extensible Authentication Protocol)


There are many flavors of EAP supported by ISE, we will be covering the most commonly used three options.

  • PEAP (Protected Extensible Authentication Protocol)
  • EAP TLS (Transport Layer Security)
  • EAP FAST (Flexible Authentication via Secure Tunneling)

Let's talk about all these one by one as below:

1. PEAP (Protected Extensible Authentication Protocol)

Protected Extensible Authentication Protocol (PEAP) is a protocol that wraps the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel.  PEAP's goal is to provide a secure communication channel between the client and the server during user authentication. PEAP was created in collaboration by Cisco Systems, Microsoft, and RSA Security.

PEAP is designed similarly to EAP-TTLS in that it requires just a server-side PKI certificate to construct a secure TLS tunnel to safeguard user authentication, and it employs server-side public key certificates to authenticate the server. The client and authentication server are then connected through an encrypted TLS tunnel. 

⭐Related : 
PEAP - Protected EAP Protocol- 802.1X

PEAP (Protected Extensible Authentication Protocol)
Fig 1.1-PEAP

The keys for this encryption are typically sent via the server's public key in most settings. The subsequent exchange of authentication information inside the tunnel to authenticate the client is then encrypted, ensuring that user credentials are not intercepted.

In short, PEAP used for Security works much like a web site using SSL/TLS. Client uses the server certificate to encrypt data and does not require a client certificate.

2. EAP TLS (Transport Layer Security)

RFC 5216 defines the Extensible Authentication Protocol - Transport Layer Security (EAP-TLS).It is a commonly used authentication protocol that allows X.509 digital certificates to be used for authentication. EAP-TLS is widely used on WPA2-Enterprise networks and is intended to improve network security through digital authentication.

EAP TLS (Transport Layer Security)
Fig 1.2- EAP TLS (Transport Layer Security)

EAP-TLS is similar to PEAP in that it uses TLS to establish a secure communication channel between the client and the server during user authentication. EAP-TLS, on the other hand, requires both client-side and server-side certificates for authentication, unlike PEAP.

In short, EAP-TLS does require both server and client certificates for mutual authentication.

⭐Related : 
Introduction to 802.1x with EAP-TLS

3. EAP FAST (Flexible Authentication via Secure Tunneling)

EAP-FAST (Flexible Authentication through Secure Tunneling) is an EAP technique that provides secure communication between a client and an authentication server by establishing a mutually authenticated tunnel using Transport Layer Security (TLS).  Cisco Systems created EAP-FAST as a substitute for the Lightweight Extensible Authentication Protocol (LEAP).

To build a secure tunnel between the client and the authentication server, EAP-FAST employs a Protected Access Credential (PAC). The authentication server generates the PAC, which contains a shared secret key used to construct the TLS tunnel. The PAC is then sent to the client, who will use it to authenticate with the authentication server.

EAP FAST (Flexible Authentication via Secure Tunneling)
Fig 1.3- EAP FAST (Flexible Authentication via Secure Tunneling)

EAP-FAST offers several advantages, including mutual authentication, immunity to passive dictionary attacks, immunity to man-in-the-middle attacks, flexibility to support most password authentication interfaces, efficiency in computational and power resources, and flexibility to extend communications inside the tunnel.

In short, EAP-FAST does not require client certificates. It uses PAC files to create the secure tunnel. It can be used for Machine and User simultaneous authentication. It requires the AnyConnect Supplicant on the workstation.

Here's a comparison of PEAP (Protected Extensible Authentication Protocol), EAP-TLS (Extensible Authentication Protocol - Transport Layer Security), and EAP-FAST (Extensible Authentication Protocol - Flexible Authentication via Secure Tunnel)


PEAP, EAP-TLS, and EAP-FAST should be chosen depending on your individual security and deployment requirements. When adopting one of these EAP techniques, consider the amount of security required, the compatibility of client devices, and the simplicity of configuration.