https://community.cisco.com/t5/network-access-control/default-mab-authentication/m-p/3953379#M455932 <P>Please share your auth rules to be sure your 802.1x rule does not have any coorelation with MAB.</P><P>&nbsp;</P><P>Really though, wifi should only be doing MAB or dot1x, not both.&nbsp; If you want to use dot1x, please ensure MAC filtering is disabled on the wlan.</P> Tue, 05 Nov 2019 14:27:30 GMT JohnNewman7082 2019-11-05T14:27:30Z https://community.cisco.com/t5/network-access-control/default-mab-authentication/m-p/3953274#M455926 <P>Hello,</P><P>&nbsp;</P><P>I note from logs that our &nbsp;WIFI users are authenticating via the Default&nbsp;MAB rule in the default policy set&nbsp;and then authenticating via a 802.1x rule created within a policy set I have created, which is further up in the policy sets.</P><P>If I disable the default MAB authentication rule within the default policy set the user then fails authentication in the 802.1x rule.</P><P>&nbsp;</P><P>It appears that the user first uses MAB then 802.1x.</P><P>&nbsp;</P><P>Is there a way around this, I only want users to authenticate in the Policy Set that I created and not use the default Policy Set.</P><P>&nbsp;</P><P>Thanks</P><P>Andy</P> Tue, 05 Nov 2019 11:02:18 GMT https://community.cisco.com/t5/network-access-control/default-mab-authentication/m-p/3953274#M455926 aspry 2019-11-05T11:02:18Z https://community.cisco.com/t5/network-access-control/default-mab-authentication/m-p/3953360#M455927 <P>Try changing the order in authentication policy and give it a try.</P><P>&nbsp;</P><P>ISE tried policies in sequential order. Also, for authentication failing via dot1x a quick view on the policy might give an idea.</P> Tue, 05 Nov 2019 14:07:29 GMT https://community.cisco.com/t5/network-access-control/default-mab-authentication/m-p/3953360#M455927 varma10 2019-11-05T14:07:29Z https://community.cisco.com/t5/network-access-control/default-mab-authentication/m-p/3953379#M455932 <P>Please share your auth rules to be sure your 802.1x rule does not have any coorelation with MAB.</P><P>&nbsp;</P><P>Really though, wifi should only be doing MAB or dot1x, not both.&nbsp; If you want to use dot1x, please ensure MAC filtering is disabled on the wlan.</P> Tue, 05 Nov 2019 14:27:30 GMT https://community.cisco.com/t5/network-access-control/default-mab-authentication/m-p/3953379#M455932 JohnNewman7082 2019-11-05T14:27:30Z https://community.cisco.com/t5/network-access-control/default-mab-authentication/m-p/3956009#M455934 <P>If you are using Cisco WLC, you might have the WLAN configured for <A href="https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-4/config-guide/b_cg84/wlan_security.html#d165846e10533a1635" target="_blank">MAC Authentication Failover to 802.1X</A>.</P> <P>You might want to take a look at this guide -- <A href="https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/201044-802-1x-authentication-with-PEAP-ISE-2-1.html" target="_self">Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3</A>&nbsp;</P> Sat, 09 Nov 2019 04:01:45 GMT https://community.cisco.com/t5/network-access-control/default-mab-authentication/m-p/3956009#M455934 hslai 2019-11-09T04:01:45Z