TEAP Chaining and Partial Success Policies
Jan Kříž
jan.kriz1867 at gmail.com
Tue Dec 9 16:06:26 UTC 2025
Hello everyone,
I'm following up on a thread from with the subject of "EAP-TEAP not
doing 2nd inner Method" from December 2024
(https://lists.freeradius.org/pipermail/freeradius-users/2024-December/105155.html)
about TEAP and setting network policies based on partial success
(e.g., Machine cert succeeds, but User cert fails).
I would specifically like to ask for clarification about something
Alan DeKok wrote in the mentioned thread:
> Exactly. None of the implementations (even Windows) support this workflow.
I agree that the client side is a huge hurdle here, but I’m confused
because some commercial platforms like Cisco ISE and Aruba ClearPass
explicitly advertise and allow admins to configure different
VLANs/ACLs precisely for that partial success scenario.
Since the commercial vendors seem to have found a way to achieve this,
are they relying on some vendor-specific extensions or a different,
non-TEAP chaining method entirely? Is it possible to configure this in
FreeRADIUS at all?
Any insight into how FreeRADIUS could be configured to accurately
process the final result and differentiate between Machine-only,
User-only success and Full success would be hugely helpful.
Thanks for the clarification!
Best regards, Jan K.
More information about the Freeradius-Users
mailing list