topic Dot1x and MAB Order in Network Access Control

Dot1x and MAB Order

fatalXerror — Mon, 01 Jul 2019 11:31:54 GMT

Hi Guys,

I am authenticating via EAP-TLS in my wired LAN. What will happen if the machine does not have a user certificate in its certificate store, will it failover to MAB?

Is there any dot1x to MAB failover in wireless as well?

Thanks

Re: Dot1x and MAB Order

Mike.Cifelli — Mon, 01 Jul 2019 12:24:09 GMT

If you have flexauth configured via template or statically configured on your interfaces to support mab then if 8021x fails your host would failover to mab. The physical medium should not matter (wired or wireless). Check out: http://www.labminutes.com/video/sec for some good video tutorials and https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sec/b_166_sec_9300_cg/configuring_ieee_802_1x_port_based_authentication.html
Good luck & HTH!

Re: Dot1x and MAB Order

fatalXerror — Mon, 01 Jul 2019 13:00:43 GMT

Hi @Mike.Cifelli

Thanks for the feedback.

Yes I have configured FlexAuth in my wired LAN but in wireless I am not sure how to configure it in WLC.

Even if I don't have a certificate, the ISE will still try to authenticate it via 802.1x?

Thanks

Re: Dot1x and MAB Order

hslai — Mon, 01 Jul 2019 22:08:09 GMT

For Cisco WLC, see

Please note that this does not support Radius NAC (ISE NAC) so no ISE posture and CoA might not work properly, either.

Re: Dot1x and MAB Order

fatalXerror — Tue, 02 Jul 2019 10:41:43 GMT

Hi @hslai

I checked link that you provided but it seems to be 802.1x AND MAB. My client wants it to be like FlextAuth when 802.1x is not available, it will failover to MAB.

Is that possible in wireless?

Thanks

Re: Dot1x and MAB Order

hslai — Tue, 02 Jul 2019 12:46:09 GMT

You are correct it's not exactly like the wired flexauth. In my experience, we always create separate WLANs for different security settings, as most clients move from one Wi-Fi network to another fairly easily. On the client side, we either do not configure security at all or do it with the matching parameters.

I've not tried myself but the others found it working in some use cases.

MAC Authentication Failover to 802.1X says,

Configuring MAC Authentication Failover to 802.1X Authentication

You can configure the controller to start 802.1X authentication when MAC authentication with static WEP for the client fails. If the RADIUS server rejects an access request from a client instead of deauthenticating the client, the controller can force the client to undergo an 802.1X authentication. If the client fails the 802.1X authentication too, then the client is deauthenticated.

If MAC authentication is successful and the client requests for an 802.1X authentication, the client has to pass the 802.1X authentication to be allowed to send data traffic. If the client does not choose an 802.1X authentication, the client is declared to be authenticated if the client passes the MAC authentication.