topic Re: Am I running Dot1x or MAB? in Network Access Control

Am I running Dot1x or MAB?

Kasper Elsborg — Mon, 15 Aug 2022 12:59:58 GMT

Hi Community.

I have manage to configure ISE to run 802.1x on the wired side. But when It comes to wireless, I am in doubt.

The ISE live log suggest that the certificate is matched aginst AD, and EAP-TLS is up and running.

But the "sh authen sess int gi x/x/x detail" is showin MAB authentication?

labsw2#sh authentication sessions interface gi1/0/14 details Interface: GigabitEthernet1/0/14 IIF-ID: 0x12185ADD MAC Address: 0811.96f0.f660 IPv6 Address: fe80::94cd:3ed2:7003:d4f6 IPv4 Address: 192.168.4.105 User-Name: 08-11-96-F0-F6-60 Status: Authorized Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Acct update timeout: 86400s (local), Remaining: 80860s Common Session ID: C0A802FB00000036A13DA646 Acct Session ID: 0x00000011 Handle: 0x3400002c Current Policy: POLICY_Gi1/0/14 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Security Policy: Should Secure Idle timeout: 65536 sec Server Policies: Method status list: Method State dot1x Stopped mab Authc Success ---------------------------------------- Interface: GigabitEthernet1/0/14 IIF-ID: 0x109BCB50 MAC Address: e4aa.5d68.a2b0 IPv6 Address: fe80::e6aa:5dff:fe68:a2b0 IPv4 Address: 192.168.4.115 User-Name: E4-AA-5D-68-A2-B0 Status: Authorized Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Acct update timeout: 86400s (local), Remaining: 62833s Common Session ID: C0A802FB00000021A02A7AB3 Acct Session ID: 0x00000005 Handle: 0xce000017 Current Policy: POLICY_Gi1/0/14 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Security Policy: Should Secure Idle timeout: 65536 sec Server Policies: Method status list: Method State dot1x Stopped mab Authc Success labsw2#

MAC addr on the win10 client is:0811.96f0.f660

WIFI is configured for WPA2-Enterprise AES

When running wired I get 802.1x

labsw2#sh authentication sessions interface gi1/0/3 details Interface: GigabitEthernet1/0/3 IIF-ID: 0x17123B16 MAC Address: 0021.cc72.70d9 IPv6 Address: fe80::4467:5437:a836:5a0a IPv4 Address: 192.168.2.231 User-Name: Kasper@Area51.local Status: Authorized Domain: DATA Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Acct update timeout: 86400s (local), Remaining: 86377s Common Session ID: C0A802FB00000042A196013A Acct Session ID: 0x00000021 Handle: 0xcd000038 Current Policy: POLICY_Gi1/0/3 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Security Policy: Should Secure Server Policies: ACS ACL: xACSACLx-IP-Area51-Domain-Admins-62f517cf SGT Value: 3 Method status list: Method State dot1x Authc Success labsw2#

So what am I running in the wireless interface?

Br. Kasper

Re: Am I running Dot1x or MAB?

georgehewittuk1 — Mon, 15 Aug 2022 13:36:28 GMT

Misread your output - Why are you running that command on the switch to check the wireless DOT1X is working is that the WLC/AP port? The WLC is where you will validate the AAA as it would be the authenticator. Looks like wireless is using EAP TLS and working with no problems though.

Re: Am I running Dot1x or MAB?

Kasper Elsborg — Mon, 15 Aug 2022 17:59:55 GMT

hi georgehewittuk1

Thanks for thaking the time

yes the AP is connected to 1/0/14 on the sw, and I'm running the command because... well I can 🙂 so seeing the supplicant ip and mac was present in the sw, led to the question of why it's listed as MAB, when the live log states dot1x.

But I guess the MAB comes from the actual AP, and the dot1x is running inside the capwap?

Is there a way to see the dot1x is running on the vWLC, as on the sw with the cmd?

Br. Kasper

Re: Am I running Dot1x or MAB?

Kasper Elsborg — Mon, 15 Aug 2022 18:34:26 GMT

I found it. on the vWLC under clients. it clearly says 802.1x

Re: Am I running Dot1x or MAB?

thomas — Mon, 15 Aug 2022 19:35:08 GMT

Please see our recent ISE Webinar which is archived on our CiscoISE YouTube Channel for

▶ Securing Cisco Catalyst Wireless with ISE using mPSK / iPSK / 802.1X

01:56 Methods for Securing Catalyst Wireless
03:12 Wireless Pre-Shared Keys Scenario
03:35 Demo Configuration Review
03:58 VLANs & SVIs
04:29 WLANs: guest, iot, corp
05:21 guest WLAN Config
05:57 iot WLAN Config with Pre-Shared Key
06:50 AAA RADIUS Config
09:08 AAA Advanced Config: Interim Updates, Called-Station-ID
12:04 Wireless Access Policies
14:49 Tags (default-policy-tag)
16:38 AP Name & Configuration
18:34 Demo: Guest SSID Test with iPad
19:43 Demo: iot Pre-Shared Key
20:48 ISE LiveLogs & Guest WiFi Policy
23:32 IOT WiFi Policy
25:34 Called-Station-ID in LiveLog Details
27:23 mPSK_IOT Authorization Profile
29:31 Demo: IOT Pre-Shared Key with Raspberry Pi Endpoint Profile
33:11 mPSK Overview
35:48 Demo: mPSK Configuration
40:04 mPSK_RaspberryPi Authorization Profile
42:47 iPSK Overview
43:58 iPSK Manager : Open Source project, not TAC supported!
45:28 Demo: Endpoint Custom Attributes
47:18 Demo: iPSK with Endpoint Attributes
48:23 iPSK_EndpointAttribute Authorization Profile using Endpoint Attributes
50:26 802.1X Overview
53:08 Supplicant Configuration
54:15 Demo: 802.1X corp WLAN for Employees with a Certificate

Re: Am I running Dot1x or MAB?

Kasper Elsborg — Tue, 16 Aug 2022 17:29:48 GMT

Thank you thomas!

Br. Kasper

Re: Am I running Dot1x or MAB?

georgehewittuk1 — Tue, 16 Aug 2022 18:23:47 GMT

That's the one good work!