https://community.cisco.com/t5/network-access-control/dot1x-client-authentication-with-mab-fallback-method/m-p/5035631#M587949 <P>Hi MHM,</P><P>I use internal database.</P><P>The port is configured in this way:</P><P>interface GigabitEthernet10/32<BR />description LABTEST<BR />switchport access vlan 75<BR />switchport mode access<BR />switchport nonegotiate<BR />authentication event server dead action authorize<BR />authentication event server dead action authorize voice<BR />authentication event server alive action reinitialize<BR />authentication host-mode multi-auth<BR />authentication order dot1x mab<BR />authentication priority dot1x<BR />authentication port-control auto<BR />authentication periodic<BR />authentication timer reauthenticate server<BR />authentication timer inactivity server<BR />authentication violation restrict<BR />mab<BR />dot1x pae authenticator<BR />dot1x timeout tx-period 10<BR />spanning-tree portfast edge<BR />spanning-tree guard root<BR />end</P> Thu, 07 Mar 2024 07:32:37 GMT ifabrizio 2024-03-07T07:32:37Z https://community.cisco.com/t5/network-access-control/dot1x-client-authentication-with-mab-fallback-method/m-p/5035114#M587930 <P>Dear All,</P><P>I have configured a test switch port, with Dot1x and Mab as fallback authentication.</P><P>I connected a new PC that is not know by the ISE, with no certificates, so the Dot1x do not works.</P><P>I aspect that the MAB auth should not allow PC access to the network cause the PC is unknow.</P><P>I also modify the Default Authentication roule with setting:</P><P>If auth fail = Reject</P><P>If user not found = Reject</P><P>If proccess fails = Drop</P><P>But after few second the ISE accept the new PC and grant access to the network, using the Default MAB auth roule:</P><P>Authentication Policy Default &gt;&gt; MAB<BR />Authorization Policy Default &gt;&gt; Basic_Authenticated_Access<BR />Authorization Result PermitAccess</P><P>Could you help pls?</P><P>Best regards,</P><P>JF</P> Wed, 06 Mar 2024 15:38:09 GMT https://community.cisco.com/t5/network-access-control/dot1x-client-authentication-with-mab-fallback-method/m-p/5035114#M587930 ifabrizio 2024-03-06T15:38:09Z https://community.cisco.com/t5/network-access-control/dot1x-client-authentication-with-mab-fallback-method/m-p/5035185#M587932 <P>Which dB you use for check endpoint?</P> <P>Can I see the SW port config&nbsp;</P> <P>MHM</P> Wed, 06 Mar 2024 17:28:13 GMT https://community.cisco.com/t5/network-access-control/dot1x-client-authentication-with-mab-fallback-method/m-p/5035185#M587932 MHM Cisco World 2024-03-06T17:28:13Z https://community.cisco.com/t5/network-access-control/dot1x-client-authentication-with-mab-fallback-method/m-p/5035207#M587934 <P>there are couple elements involved and how they configured, right from switch port and ISE config.</P> <P>check below guide example :</P> <P><A href="https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_blank">https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515</A></P> Wed, 06 Mar 2024 17:45:49 GMT https://community.cisco.com/t5/network-access-control/dot1x-client-authentication-with-mab-fallback-method/m-p/5035207#M587934 balaji.bandi 2024-03-06T17:45:49Z https://community.cisco.com/t5/network-access-control/dot1x-client-authentication-with-mab-fallback-method/m-p/5035631#M587949 <P>Hi MHM,</P><P>I use internal database.</P><P>The port is configured in this way:</P><P>interface GigabitEthernet10/32<BR />description LABTEST<BR />switchport access vlan 75<BR />switchport mode access<BR />switchport nonegotiate<BR />authentication event server dead action authorize<BR />authentication event server dead action authorize voice<BR />authentication event server alive action reinitialize<BR />authentication host-mode multi-auth<BR />authentication order dot1x mab<BR />authentication priority dot1x<BR />authentication port-control auto<BR />authentication periodic<BR />authentication timer reauthenticate server<BR />authentication timer inactivity server<BR />authentication violation restrict<BR />mab<BR />dot1x pae authenticator<BR />dot1x timeout tx-period 10<BR />spanning-tree portfast edge<BR />spanning-tree guard root<BR />end</P> Thu, 07 Mar 2024 07:32:37 GMT https://community.cisco.com/t5/network-access-control/dot1x-client-authentication-with-mab-fallback-method/m-p/5035631#M587949 ifabrizio 2024-03-07T07:32:37Z https://community.cisco.com/t5/network-access-control/dot1x-client-authentication-with-mab-fallback-method/m-p/5038513#M588044 <P>Dear All,</P><P>Finally I found the problem.</P><P>In the ISE Default Authorization Policy was missing a Policy that deny to the Unknow devices to grant access to the Network.</P><P>such as:</P><P>Identity Group-Name Equals EnndPoint Identity Groups:Unknow Results = Deny Access.</P><P>Bye,</P><P>JF.</P> Wed, 13 Mar 2024 07:30:27 GMT https://community.cisco.com/t5/network-access-control/dot1x-client-authentication-with-mab-fallback-method/m-p/5038513#M588044 ifabrizio 2024-03-13T07:30:27Z