https://community.cisco.com/t5/network-access-control/authentication-open-and-802-1x-failure/m-p/3749530#M488035 <P>The port should continue to MAB once Dot1x times out or fails.&nbsp; I would get rid of the webauth methods.&nbsp; If the device continues to send Dot1x frames to kick the switch out of MAB they could get indefinite open access to the network.&nbsp; This is the downside to using open mode and the legacy template.</P> Mon, 19 Nov 2018 20:03:03 GMT paul 2018-11-19T20:03:03Z https://community.cisco.com/t5/network-access-control/authentication-open-and-802-1x-failure/m-p/3749317#M488029 <DIV class="entry-content lotusPostDetails"> <P dir="ltr">If this config on switch:</P> <PRE dir="ltr">interface GigabitEthernet2/0/30 switchport access vlan 24 switchport mode access switchport voice vlan 25 authentication event fail action next-method authentication event server dead action authorize vlan 24 authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-auth authentication open authentication order dot1x mab webauth authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer inactivity 30 authentication fallback Webauth mab dot1x pae authenticator spanning-tree portfast end </PRE> <P dir="ltr">When 802.1x client fails authentication, I get open access, and am not being passed to MAB. So my question is, if "authentication open" and authentication order dot1x mab webauth" is configured, IF 802.1x authentication fails, will the port access go to OPEN or will it continue to MAB.</P> </DIV> Mon, 19 Nov 2018 15:16:58 GMT https://community.cisco.com/t5/network-access-control/authentication-open-and-802-1x-failure/m-p/3749317#M488029 edmcnich 2018-11-19T15:16:58Z https://community.cisco.com/t5/network-access-control/authentication-open-and-802-1x-failure/m-p/3749454#M488031 <P>Hello edmchich,</P> <P>&nbsp;</P> <P>Configs looks good..</P> <P>Couple of things on ISE</P> <P>1. Hope the endpoint mac address is part of the endpoint identity group(Administration&gt;identity management&gt;groups&gt;endpoint identity groups) -- May be add the mac under one of those available groups.</P> <P>2.Set the authorization profile to have dot1x as first method and MAB as next option and set the condition -- Refer to attachment..</P> <P>&nbsp;</P> <P>Let me know if that helps..</P> <P>&nbsp;</P> Mon, 19 Nov 2018 18:11:22 GMT https://community.cisco.com/t5/network-access-control/authentication-open-and-802-1x-failure/m-p/3749454#M488031 mnagired 2018-11-19T18:11:22Z https://community.cisco.com/t5/network-access-control/authentication-open-and-802-1x-failure/m-p/3749530#M488035 <P>The port should continue to MAB once Dot1x times out or fails.&nbsp; I would get rid of the webauth methods.&nbsp; If the device continues to send Dot1x frames to kick the switch out of MAB they could get indefinite open access to the network.&nbsp; This is the downside to using open mode and the legacy template.</P> Mon, 19 Nov 2018 20:03:03 GMT https://community.cisco.com/t5/network-access-control/authentication-open-and-802-1x-failure/m-p/3749530#M488035 paul 2018-11-19T20:03:03Z https://community.cisco.com/t5/network-access-control/authentication-open-and-802-1x-failure/m-p/3750996#M488037 <P>Hello edmchich</P> <P>&nbsp;</P> <P>Are you good or still need assistance? if not then we would close this thread?? Let us know</P> Wed, 21 Nov 2018 19:34:40 GMT https://community.cisco.com/t5/network-access-control/authentication-open-and-802-1x-failure/m-p/3750996#M488037 mnagired 2018-11-21T19:34:40Z