03-12-2021 07:45 AM
Is there any requirement that the order of authentication when using ISE is 802.1x and failover to MAB, instead of trying MAB first, and then 802.1x?
If the 802.1x is tried first, there is a timeout before MAB is tried and some clients are too impatient to wait for MAB.
If MAB is tried first, I would guess it would fail much quicker and 802.1x would then be tried.
03-12-2021 07:53 AM
In a security Point of view, MAB is not real security - but some device does not support 802.1X so you need to deploy MAB authentication.
that is the reason 802.1x is prefered then if failed (default 21seconds) fail to MAB, you can reduce the 21seconds to Lower depends on the requirement.
03-16-2021 08:19 AM
Thank you for the response.
Although MAB is not considered real security, if it is allowed, it would still be great if it could be checked first.
We have some clients that need a full 30 seconds to negotiate 802.11x, so that is what we set everywhere so we are "port independant". Checking MAB first should be sub-second, then if there was not any MAB entry in ISE, trying 802.1x could be tried.
After all, if you are going to allow the insecure MAB, a hacker will just make sure to wait for the 802.11x timeout, then try MAB. I do not see the order as enhancing security.
03-16-2021 08:34 AM
i never tried it, may be you can try for those specific switch ports where required MAB first and 802.1X later - test 1 or 2 device before role out mass.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide