topic Re: cisco ISE workstation run sometimes MAB instead 802.1x in Network Access Control

cisco ISE workstation run sometimes MAB instead 802.1x

faruk.zaimovic — Thu, 29 Aug 2024 05:19:53 GMT

Hello,

We install cisco ise 3.2 and sometimes randomly in radius log we can see that PC/workstation run MAB and it was deny than for a few minutes run 802.1x and autheticatin is succesful.

Windows is update, i event log of machine I cound't find anything.

We use EAP-TLS,

does anybody have that problem or idea how to solve.

thank you

Re: cisco ISE workstation run sometimes MAB instead 802.1x

M02@rt37 — Thu, 29 Aug 2024 06:45:30 GMT

Hello @faruk.zaimovic

MAB is typically used as a fallback mechanism for devices that do not support 802.1X, like printers or IP phones. However, when you see a Windows machine, which should be using 802.1X, attempting MAB first, it suggests that the initial 802.1X authentication attempt failed or did not occur as expected. After the MAB attempt fails, the machine eventually tries 802.1X again and succeeds with EAP-TLS, indicating that the machine is capable of authenticating correctly but might be encountering initial connectivity issues or delays in starting the 802.1X process.

If there are network connectivity issues or if the port is flapping (constantly going up and down), it might cause the Windows machine to revert to MAB as it temporarily loses network connectivity or doesn’t complete the 802.1X authentication in time.

Also, there might be a delay in the 802.1X supplicant starting up or attempting to authenticate after the network interface becomes active. This delay could cause the switch to fall back to MAB...

If there is a problem with the certificate or the configuration of the EAP-TLS profile on the machine, it could cause the initial 802.1X attempt to fail, leading to MAB. Once the issue is resolved (like a delay in accessing the certificate store), the 802.1X authentication could succeed.

Since you didn’t find relevant information in the event logs, consider enabling detailed logging for the Windows 802.1X supplicant. This might give more insight into why the initial 802.1X attempt fails or is delayed. Review the ISE authentication logs for any patterns or specific errors associated with these events. Check the policies in ISE to ensure they are correctly configured to handle both 802.1X and MAB, and that the fallback behavior is appropriate.

Re: cisco ISE workstation run sometimes MAB instead 802.1x

MHM Cisco World — Thu, 29 Aug 2024 07:01:02 GMT

You use order and priority under the interface?

If yes make 802.1x first then mab

MHM

Re: cisco ISE workstation run sometimes MAB instead 802.1x

faruk.zaimovic — Thu, 29 Aug 2024 07:38:07 GMT

Hello,

i tried it, i have same problem. My conf of port

interface GigabitEthernet1/0/39
description KORISNICI
switchport access vlan 10
switchport mode access
authentication event fail action next-method
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 60
authentication timer inactivity 30
mab
dot1x pae authenticator
spanning-tree portfast
end

Re: cisco ISE workstation run sometimes MAB instead 802.1x

faruk.zaimovic — Thu, 29 Aug 2024 07:46:53 GMT

Hello,

thank you very much for your answear. 802.1x is autheticaed succesufully and it works, but in randomly time it start MAB and policy delayed it, then it run 802.1x and it continue working normaly and it is happen in circle. i would like why pc run instead 802.1x. it is possible disable MAB in PC.

Re: cisco ISE workstation run sometimes MAB instead 802.1x

MHM Cisco World — Thu, 29 Aug 2024 08:13:08 GMT

authentication order dot1x mab<<- only this need to change
authentication priority dot1x mab

Re: cisco ISE workstation run sometimes MAB instead 802.1x

rezaalikhani — Thu, 29 Aug 2024 08:16:21 GMT

This problem does not relates to ISE. ISE only decides which policies to apply based on received information from NAD or the endpoint. Based on your config, try to change the "authentication order mab dot1x" command to "authentication order dot1x mab". But as a general consideration, updating the Operating System and also the NIC driver solves many occasional circumstances...

Re: cisco ISE workstation run sometimes MAB instead 802.1x

ahollifield — Thu, 29 Aug 2024 14:19:57 GMT

Sleep mode?

Re: cisco ISE workstation run sometimes MAB instead 802.1x

M02@rt37 — Thu, 29 Aug 2024 19:59:54 GMT

@faruk.zaimovic @

MAB is not something you can disable directly on a PC, as it’s a fallback mechanism that occurs on the network switch when 802.1X authentication fails or doesn't start promptly.

However, you can take steps to ensure that the PC prioritizes 802.1X and doesn't inadvertently cause the switch to fall back to MAB...

If you are certain that all devices connecting to a particular port will always support 802.1X, you can disable MAB on that switch port entirely. This will prevent the port from falling back to MAB, forcing it to wait for 802.1X authentication to succeed.

Re: cisco ISE workstation run sometimes MAB instead 802.1x

faruk.zaimovic — Fri, 30 Aug 2024 05:16:03 GMT

Hello, i replace and it solve problem.

Re: cisco ISE workstation run sometimes MAB instead 802.1x

MHM Cisco World — Fri, 30 Aug 2024 09:12:32 GMT

You are welcome

MHM