topic Re: Cisco APs MAB in Network Access Control

Cisco APs MAB

Leonardo Santana — Tue, 13 Aug 2024 12:19:12 GMT

Hi,

What´s is the best way to authenticate the APs in flexconnect? MAB or NEAT?

Version: Cisco ISE 3.3

Re: Cisco APs MAB

M02@rt37 — Tue, 13 Aug 2024 12:30:51 GMT

Even with the additional complexity introduced by CISP, NEAT remains the better option for authenticating APs in a FlexConnect environment due to its superior security and network integrity (scalability also). MAB might still be used in environments where simplicity is more critical than security, but for production networks, particularly those that are sensitive to security and scalability, NEAT is the recommended approach.

Re: Cisco APs MAB

ahollifield — Tue, 13 Aug 2024 16:00:24 GMT

100% depends on the organization's security policies. You can also enable a local supplicant on the AP: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217848-configure-802-1x-supplicant-for-access-p.html

Re: Cisco APs MAB

MHM Cisco World — Tue, 13 Aug 2024 16:17:42 GMT

According to Ciscolive I reviewed before MAB is good for auth AP.

MHM

Re: Cisco APs MAB

Massimo Baschieri — Wed, 14 Aug 2024 04:10:27 GMT

Flexconnect exposes all the mac addresses for the wireless hosts to the switch port, how do you manage this with mab?

Re: Cisco APs MAB

ahollifield — Wed, 14 Aug 2024 05:35:35 GMT

You don't. Most of my customers exclude FlexConnect APs from authentication (it's a trunk port after all). The other way is to use Smart Port Macros.

Re: Cisco APs MAB

Leonardo Santana — Thu, 15 Aug 2024 12:53:10 GMT

Hi,

Thanks for your answer, our customer just want to configure the APs with MAB. This config below will work?

interface gigax/x
description ">_MERAKI_LAN<"
switchport trunk encapsulation dot1q
switchport trunk allowed vlan x,x,x,x,x
switchport mode trunk
switchport nonegotiate
authentication control-direction in
authentication host-mode multi-host
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
logging event trunk-status
logging event bundle-status
load-interval 30
duplex full
ip dhcp snooping trust

If the AP is in Flex Connect mode, local switching, then an additional configuration has to be made on the switch interface to allow multiple MAC addresses on the port, since the client traffic is released at the AP level :

authentication host-mode multi-host

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217848-configure-802-1x-supplicant-for-access-p.html

Re: Cisco APs MAB

M02@rt37 — Fri, 16 Aug 2024 08:45:41 GMT

Hello @Leonardo Santana

It looks fine.

And yes, since the AP is in FlexConnect mode with local switching, it's crucial to allow for multiple MAC addresses on the port... which you've done with authentication host-mode multi-host.