07-01-2019 04:31 AM
Hi Guys,
I am authenticating via EAP-TLS in my wired LAN. What will happen if the machine does not have a user certificate in its certificate store, will it failover to MAB?
Is there any dot1x to MAB failover in wireless as well?
Thanks
Solved! Go to Solution.
07-02-2019 05:46 AM
You are correct it's not exactly like the wired flexauth. In my experience, we always create separate WLANs for different security settings, as most clients move from one Wi-Fi network to another fairly easily. On the client side, we either do not configure security at all or do it with the matching parameters.
I've not tried myself but the others found it working in some use cases.
MAC Authentication Failover to 802.1X says,
Configuring MAC Authentication Failover to 802.1X Authentication
You can configure the controller to start 802.1X authentication when MAC authentication with static WEP for the client fails. If the RADIUS server rejects an access request from a client instead of deauthenticating the client, the controller can force the client to undergo an 802.1X authentication. If the client fails the 802.1X authentication too, then the client is deauthenticated.
If MAC authentication is successful and the client requests for an 802.1X authentication, the client has to pass the 802.1X authentication to be allowed to send data traffic. If the client does not choose an 802.1X authentication, the client is declared to be authenticated if the client passes the MAC authentication.
07-01-2019 05:24 AM
07-01-2019 06:00 AM
Thanks for the feedback.
Yes I have configured FlexAuth in my wired LAN but in wireless I am not sure how to configure it in WLC.
Even if I don't have a certificate, the ISE will still try to authenticate it via 802.1x?
Thanks
07-01-2019 03:08 PM
For Cisco WLC, see
Please note that this does not support Radius NAC (ISE NAC) so no ISE posture and CoA might not work properly, either.
07-02-2019 03:41 AM
Hi @hslai
I checked link that you provided but it seems to be 802.1x AND MAB. My client wants it to be like FlextAuth when 802.1x is not available, it will failover to MAB.
Is that possible in wireless?
Thanks
07-02-2019 05:46 AM
You are correct it's not exactly like the wired flexauth. In my experience, we always create separate WLANs for different security settings, as most clients move from one Wi-Fi network to another fairly easily. On the client side, we either do not configure security at all or do it with the matching parameters.
I've not tried myself but the others found it working in some use cases.
MAC Authentication Failover to 802.1X says,
Configuring MAC Authentication Failover to 802.1X Authentication
You can configure the controller to start 802.1X authentication when MAC authentication with static WEP for the client fails. If the RADIUS server rejects an access request from a client instead of deauthenticating the client, the controller can force the client to undergo an 802.1X authentication. If the client fails the 802.1X authentication too, then the client is deauthenticated.
If MAC authentication is successful and the client requests for an 802.1X authentication, the client has to pass the 802.1X authentication to be allowed to send data traffic. If the client does not choose an 802.1X authentication, the client is declared to be authenticated if the client passes the MAC authentication.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: