https://community.cisco.com/t5/network-access-control/nac-order-mab-dot1x/m-p/3684450#M495447 <P>Thanks for the quick reply! I did some testing and added this to the NAC RADIUS server and got it working.&nbsp;</P> Wed, 08 Aug 2018 20:18:24 GMT NetwkChris 2018-08-08T20:18:24Z https://community.cisco.com/t5/network-access-control/nac-order-mab-dot1x/m-p/3684188#M495445 <P>Hello,&nbsp;</P> <P>I am experiencing an issue with my network that certain PC's have trouble with authentication. What is happening is that the device authenticates with dot1x first, but then after the 1 hr timer forces the device to re-athenticate. Which causes the device to re-authenticate into MAB, it is put it into the vlan that was created for imaging. The device before it goes to the end-user was imaged using MAB first. Then the customer plugs it in and it authenticates via dot1x, but after the re-authentication timer expires it goes into MAB, and doesnt return to dot1x like it is supposed to, so it can get into the data vlan.&nbsp;</P> <P>&nbsp;</P> <P>Has anyone had this issue before?&nbsp;</P> <P>&nbsp;</P> <P>Here is my port config:&nbsp;</P> <P>description NAC<BR />shut<BR /> switchport mode access<BR /> mtu 9000<BR /> ip device tracking maximum 0<BR /> no cdp enable<BR /> authentication event fail action next-method<BR /> authentication event server dead action authorize voice<BR /> authentication event server alive action reinitialize<BR /> authentication control-direction in<BR /> authentication host-mode multi-domain<BR /> authentication order mab dot1x<BR /> authentication priority dot1x mab<BR /> authentication port-control auto<BR /> authentication periodic<BR /> authentication timer reauthenticate 3599<BR /> authentication violation replace<BR /> mab <BR /> snmp trap mac-notification change added<BR /> snmp trap mac-notification change removed<BR /> dot1x pae authenticator<BR /> dot1x timeout tx-period 10<BR /> storm-control broadcast include multicast<BR /> storm-control broadcast level 2.00<BR /> storm-control action trap<BR /> spanning-tree portfast edge<BR /> spanning-tree bpduguard enable<BR /> ip verify source vlan dhcp-snooping<BR />no shut<BR />end</P> Wed, 08 Aug 2018 14:51:00 GMT https://community.cisco.com/t5/network-access-control/nac-order-mab-dot1x/m-p/3684188#M495445 NetwkChris 2018-08-08T14:51:00Z https://community.cisco.com/t5/network-access-control/nac-order-mab-dot1x/m-p/3684226#M495446 <P>Yes, that is expected behavior. If you want to change the behavior so reauth performs 802.1X instead of MAB, please see setting up VSA with Authorization profile part on this document:&nbsp;<SPAN><A href="https://community.cisco.com/t5/security-documents/top-ten-mis-configured-cisco-ios-switch-settings-for-ise/ta-p/3643912#toc-hId--1759816418" target="_self">Top Ten mis-configured Cisco IOS Switch settings for ISE integration</A> </SPAN></P> <P>&nbsp;</P> Wed, 08 Aug 2018 15:20:54 GMT https://community.cisco.com/t5/network-access-control/nac-order-mab-dot1x/m-p/3684226#M495446 howon 2018-08-08T15:20:54Z https://community.cisco.com/t5/network-access-control/nac-order-mab-dot1x/m-p/3684450#M495447 <P>Thanks for the quick reply! I did some testing and added this to the NAC RADIUS server and got it working.&nbsp;</P> Wed, 08 Aug 2018 20:18:24 GMT https://community.cisco.com/t5/network-access-control/nac-order-mab-dot1x/m-p/3684450#M495447 NetwkChris 2018-08-08T20:18:24Z