Re: ISE and the order of MAB and 802.1x authentication

derek.andrew · ‎03-12-2021

Is there any requirement that the order of authentication when using ISE is 802.1x and failover to MAB, instead of trying MAB first, and then 802.1x?

If the 802.1x is tried first, there is a timeout before MAB is tried and some clients are too impatient to wait for MAB.

If MAB is tried first, I would guess it would fail much quicker and 802.1x would then be tried.

balaji.bandi · ‎03-12-2021

In a security Point of view, MAB is not real security - but some device does not support 802.1X so you need to deploy MAB authentication.

that is the reason 802.1x is prefered then if failed (default 21seconds) fail to MAB, you can reduce the 21seconds to Lower depends on the requirement.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

derek.andrew · ‎03-16-2021

Thank you for the response.

Although MAB is not considered real security, if it is allowed, it would still be great if it could be checked first.

We have some clients that need a full 30 seconds to negotiate 802.11x, so that is what we set everywhere so we are "port independant". Checking MAB first should be sub-second, then if there was not any MAB entry in ISE, trying 802.1x could be tried.

After all, if you are going to allow the insecure MAB, a hacker will just make sure to wait for the 802.11x timeout, then try MAB. I do not see the order as enhancing security.

balaji.bandi · ‎03-16-2021

i never tried it, may be you can try for those specific switch ports where required MAB first and 802.1X later - test 1 or 2 device before role out mass.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help