https://community.cisco.com/t5/network-access-control/flexible-authentication-order-priority-cisco-ise/m-p/3018336#M24139 <P>Start with reading the following document. It will give you some good examples:</P> <P><A href="http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html">Flexible Authentication Order, Priority, and Failed Authentication</A></P> Fri, 03 Feb 2017 07:11:34 GMT Karsten Iwen 2017-02-03T07:11:34Z https://community.cisco.com/t5/network-access-control/flexible-authentication-order-priority-cisco-ise/m-p/3018335#M24138 <P>Can someone out here please explain the meaning of below</P> <P></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif';">interface &lt;interface_number&gt; </SPAN></P><P></P><P></P> <P><SPAN><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif';">authentication order mab dot1x </SPAN></SPAN></P><P></P><P></P> <P><SPAN><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif';">authentication priority dot1x mab</SPAN></SPAN></P><P></P><P></P> <P><SPAN></SPAN></P> <P><SPAN style="font-size: 9.0pt; font-family: 'Courier New';">&nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif';">&nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif';"></SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif';">what is the real-time use of order and priority commands ?</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif';"></SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif';">Is it mandatory to have priority command ?</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif';"></SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif';"></SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif';">Please give some real-life exmaples</SPAN></P> Mon, 11 Mar 2019 07:26:02 GMT https://community.cisco.com/t5/network-access-control/flexible-authentication-order-priority-cisco-ise/m-p/3018335#M24138 prashant dwivedi 2019-03-11T07:26:02Z https://community.cisco.com/t5/network-access-control/flexible-authentication-order-priority-cisco-ise/m-p/3018336#M24139 <P>Start with reading the following document. It will give you some good examples:</P> <P><A href="http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html">Flexible Authentication Order, Priority, and Failed Authentication</A></P> Fri, 03 Feb 2017 07:11:34 GMT https://community.cisco.com/t5/network-access-control/flexible-authentication-order-priority-cisco-ise/m-p/3018336#M24139 Karsten Iwen 2017-02-03T07:11:34Z https://community.cisco.com/t5/network-access-control/flexible-authentication-order-priority-cisco-ise/m-p/3018337#M24140 <P>Here is my understanding , if someone would like to comment and confim if this is correct</P> <P></P> <P><STRONG><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">&nbsp;</SPAN></STRONG></P> <P><STRONG><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">Use case 1 :</SPAN></STRONG></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">&nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">&nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">authentication order mab dot1x</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">authentication priority dot1x mab</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">&nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">Result- first client will do MAB ( if this passed ) then will do the dot1x. If MAB auth failed&nbsp; &nbsp;then also do the dot1x. Negative side of this is that each and every device has to go through MAB process- overhead on ISE . if DOT1x is not successful it will get the policy as configured for MAB. </SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">&nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">&nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">&nbsp;</SPAN></P> <P><STRONG><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">Use Case 2- </SPAN></STRONG></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">&nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">authentication order mab dot1x</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">authentication priority mab Dot1x</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">&nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">&nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">MAB failed , it will go to Dot1x</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">MAB passed- it will not go to DOT1x.</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">&nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">&nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">Use Case 3- </SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">&nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">authentication order dot1x mab</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">authentication priority mab Dot1x</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">&nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">&nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">End-point will do Dot1x, will only go to MAB if DOT1x Fails.</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #004b8d;">&nbsp;</SPAN></P> Mon, 06 Feb 2017 05:58:55 GMT https://community.cisco.com/t5/network-access-control/flexible-authentication-order-priority-cisco-ise/m-p/3018337#M24140 prashant dwivedi 2017-02-06T05:58:55Z https://community.cisco.com/t5/network-access-control/flexible-authentication-order-priority-cisco-ise/m-p/3729052#M24141 <P>Could anyone confirm that if:</P> <P>order mab dot1x</P> <P>priority dot1x mab</P> <P>&nbsp;</P> <P>then a dot1x client will start up as mab but immediately be switched to dot1x upon sending an eapol frame?</P> <P>ie it doesn't have to fail the mab process to progress to dot1x and therefore the mab process won't fail due to the dot1x being sucessful?</P> Sat, 20 Oct 2018 08:47:39 GMT https://community.cisco.com/t5/network-access-control/flexible-authentication-order-priority-cisco-ise/m-p/3729052#M24141 louis0001 2018-10-20T08:47:39Z https://community.cisco.com/t5/network-access-control/flexible-authentication-order-priority-cisco-ise/m-p/3734071#M24142 <P>Yes.</P> Sat, 27 Oct 2018 03:50:01 GMT https://community.cisco.com/t5/network-access-control/flexible-authentication-order-priority-cisco-ise/m-p/3734071#M24142 hslai 2018-10-27T03:50:01Z https://community.cisco.com/t5/network-access-control/flexible-authentication-order-priority-cisco-ise/m-p/3735905#M24143 It depends on the policies, I prefer to do the dot1x first and if fails then do MAB.<BR />If you have MAB policies that can "overlap" with dot1x policies then it might cause issues, e.g. MAB policy for workstation onboarding. <BR />In most cases dot1x first works better for me. Tue, 30 Oct 2018 20:12:30 GMT https://community.cisco.com/t5/network-access-control/flexible-authentication-order-priority-cisco-ise/m-p/3735905#M24143 Panos Bouras 2018-10-30T20:12:30Z