topic Re: Windows PC's using MAB instead of dot1x spontaneously in Network Access Control

Windows PC's using MAB instead of dot1x spontaneously

BrianPersaud — Mon, 23 Sep 2019 15:33:23 GMT

Hi All

Having a weird spontaneous issue on some WIndows PC's that are setup for 802.1x. After a complete bootup, ISE logs show that the PC is doing MAB authentication and are failing as expected. If I unplug the network cable and reconnect, then the PC's connect using 802.1x and pass authentication. It happens on occasions.

I am not using group policy at this point so all the configs are applied to the PC directly. We are using computer authentication with Microsoft PEAP.

When I check the switch logs, it does show the attempts are made with dot1x then MAB. However ISE is only seeing the MAB attemtps.

On the ISE side, the policy is set to allow computers that are part of the domain computers security group.

interface GigabitEthernet1/0/1
switchport access vlan 12
switchport mode access
switchport voice vlan 8
ip access-group PORT-ACL-DEFAULT in
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
Extended IP access list PORT-ACL-DEFAULT
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
50 permit tcp any host 10.11.2.23 eq 8443
60 deny ip any any

aaa authentication login default group radius local
aaa authentication enable default enable group radius
aaa authentication dot1x default group radius
aaa authorization exec default local group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client 10.11.2.23 server-key 7 xxx
server-key 7 xxx
aaa session-id common
dot1x system-auth-control
dot1x critical eapol
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius server ISE01
address ipv4 10.11.2.23 auth-port 1812 acct-port 1813
key 7 xxx

Re: Windows PC's using MAB instead of dot1x spontaneously

Mohammed al Baqari — Mon, 23 Sep 2019 18:29:58 GMT

Hi,

I answered this in below post. Follow the recommendations and it should
work.

https://community.cisco.com/t5/identity-services-engine-ise/intermittent-authentication-failures-on-wired-pc-using-native/td-p/3839705

Remember to rate useful post

Re: Windows PC's using MAB instead of dot1x spontaneously

Colby LeMaire — Mon, 23 Sep 2019 18:38:33 GMT

You can try 2 things. First, remove the dot1x timeout tx-period 10 command from the port. That will reset the dot1x timeout back to 30 seconds with 2 retries for a total of 90 seconds. With your command, dot1x fails over to MAB in 30 seconds. It is possible that the PC has some software on it that takes a long time to boot before the network adapter and Wired AutoConfig service can fully start. 99% of the time, a timeout of 10 seconds with 2 retries is perfect, but there are also rare times where that timer needs to be tweaked higher or lower.

The other thing to try is to remove the default port ACL. If you remove both of those and it still isn't working, then I would recommend some dot1x and Radius debugs on the switch to dig a little deeper. I know you said you saw some dot1x attempts, but that could just be the switch requesting the identity of the endpoint but the switch isn't getting a response so it never sends the information to ISE. You could also SPAN the port and capture the packets. See if the PC is responding to the switch's EAP Request-Identity.

Also check the Event Viewer on the PC for any System events related to the network adapter or 802.1x.

Re: Windows PC's using MAB instead of dot1x spontaneously

paul — Mon, 23 Sep 2019 19:00:42 GMT

Just a couple notes here:

Changing the Dot1x timeout back to 30 seconds should only be a test. We run ours at 7 seconds.
Changing the Dot1x timeout honestly shouldn't matter because even if the switch times out Dot1x and goes to MAB the Windows Supplicant will kick the switch back into Dot1x mode when it comes up and sends out an EAPol Start. The Windows Supplicant (unlike the Mac supplicant) is a initiator and a responder. It will actively try to do 802.1x when the supplicant starts up. If you want to prove that to yourself, stop the Wired AutoConfig servers, get the switch to MAB the device then start the Wired AutoConfig service. The switch should go to Dot1x and authenticate the device. The windows supplicant initiated the Dot1x when the service restarted.

Re: Windows PC's using MAB instead of dot1x spontaneously

BrianPersaud — Mon, 23 Sep 2019 19:01:55 GMT

@Colby LeMaire I will test the settings. Just for reference, when you mentioned "a timeout of 10 seconds with 2 retries is perfect", for the retries, are you referring to the Max Authentication Failures in the GPO?

And yes it may be that the PC is not sending an EAP request.

Thanks

Re: Windows PC's using MAB instead of dot1x spontaneously

Colby LeMaire — Mon, 23 Sep 2019 19:04:40 GMT

2 retries is the default on the switchport so if you don't have a command changing the number of retries, then it will be 2.

Re: Windows PC's using MAB instead of dot1x spontaneously

BrianPersaud — Thu, 26 Sep 2019 15:03:10 GMT

Hi All

I ended up changing the Authentication retries in the GPO from 1 to 3. I think this was the fix for the issue. All other settings on the switchport and ISE were left as per my original post. Didn't have to change the timers on the switch.

Re: Windows PC's using MAB instead of dot1x spontaneously

Nayan.Patel85 — Wed, 08 Jan 2020 14:29:22 GMT

We are having similar issues as well.

we use Windows 10, Dell laptops, Dell WD15 docking station and Avaya IP Phone.

From Wall jack cables goes to Avaya Phone, From Phone to Dock and PC is connected to Dock using USB-C.

Issue that we are seeing is randomly PC will stop authentication using dot1x (PEAP in our case) and will keep authentication using MAB and ISE will deny the MAB request as expected.

user have tried rebooting the laptops no luck,

we verified the Supplicant on the PC was running while issue was happening.

we have seen lot of post about USB-C docking station my cause problem with dot1x if they are not configure for MAC bypass. will send Dock mac address instead of PC mac address. But this is not the case in our situation we have verified that MAC address that we are seeing on ISE is the actual mac address of the PC not.

For the workaround we are telling user to go wireless, which works.

If user reboots the Avayaphone it works temporarily, then issue comes back again.

In some cases we had user bypass the phone and they have not seen the issue happen again.

In some cases we had user connect network cable to the PC instead of the docking station and this also seemed to have fix the problem as well.

At this point we are not sure whats causing the Problem Window 10, Avaya Phone or Docking Station.

As always network guy has to prove that nothing is wrong on the Cisco Switch side or Cisco ISE side.

below is the switchport configuration, we use default timers for dot1x, Cisco ISE configured to allow machine if its member of domain user group (PEAP)

Again this issue is not happening to all the users, its random.

description USER-VLAN
switchport access vlan 100
switchport mode access
switchport nonegotiate
switchport voice vlan 10
ip access-group ACL-ALLOW in
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication event server dead action reinitialize vlan 100
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer inactivity server
mab
mls qos trust dscp
dot1x pae authenticator
auto qos trust dscp
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input SWITCHPORT-ACCESS-POLICY

Re: Windows PC's using MAB instead of dot1x spontaneously

Colby LeMaire — Wed, 08 Jan 2020 15:21:24 GMT

Try adding the "dot1x timeout tx-period 10" command to the port and also changed the order of authentication to do dot1x first (i.e. "authentication order dot1x mab"). If that doesn't help, then I would recommend grabbing some packet captures on the PC when the issue is happening to see if the PC is actually receiving the EAPOL frames from the switch. It is possible that the phone or docking station is not passing the frames across.

Re: Windows PC's using MAB instead of dot1x spontaneously

BrianPersaud — Wed, 19 Feb 2020 14:32:36 GMT

Can you share the ACL for this: ACL-ALLOW in

Re: Windows PC's using MAB instead of dot1x spontaneously

oron.yaniv — Thu, 20 Mar 2025 07:30:44 GMT

Hi Brian,

I know it's an old thread; however, can you please share the GPO configuration?

we are having the same issue, with sleeping machine,
after returning from sleep stack in MAB.

Re: Windows PC's using MAB instead of dot1x spontaneously

rmead — Thu, 08 May 2025 16:53:28 GMT

How was this achieved in Group Policy? "changing the Authentication retries in the GPO from 1 to 3"

I can only see "Maximum Authenticatoin Failures"