cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1165
Views
0
Helpful
5
Replies

Dot1x and MAB Order

fatalXerror
Level 5
Level 5

Hi Guys,

I am authenticating via EAP-TLS in my wired LAN. What will happen if the machine does not have a user certificate in its certificate store, will it failover to MAB?

 

Is there any dot1x to MAB failover in wireless as well?

 

Thanks

1 Accepted Solution

Accepted Solutions

You are correct it's not exactly like the wired flexauth. In my experience, we always create separate WLANs for different security settings, as most clients move from one Wi-Fi network to another fairly easily. On the client side, we either do not configure security at all or do it with the matching parameters.

I've not tried myself but the others found it working in some use cases.

MAC Authentication Failover to 802.1X says,

Configuring MAC Authentication Failover to 802.1X Authentication

You can configure the controller to start 802.1X authentication when MAC authentication with static WEP for the client fails. If the RADIUS server rejects an access request from a client instead of deauthenticating the client, the controller can force the client to undergo an 802.1X authentication. If the client fails the 802.1X authentication too, then the client is deauthenticated.

If MAC authentication is successful and the client requests for an 802.1X authentication, the client has to pass the 802.1X authentication to be allowed to send data traffic. If the client does not choose an 802.1X authentication, the client is declared to be authenticated if the client passes the MAC authentication.

 

View solution in original post

5 Replies 5

Mike.Cifelli
VIP Alumni
VIP Alumni
If you have flexauth configured via template or statically configured on your interfaces to support mab then if 8021x fails your host would failover to mab. The physical medium should not matter (wired or wireless). Check out: http://www.labminutes.com/video/sec for some good video tutorials and https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sec/b_166_sec_9300_cg/configuring_ieee_802_1x_port_based_authentication.html
Good luck & HTH!

Hi @Mike.Cifelli 

Thanks for the feedback.

Yes I have configured FlexAuth in my wired LAN but in wireless I am not sure how to configure it in WLC.

Even if I don't have a certificate, the ISE will still try to authenticate it via 802.1x?

Thanks

For Cisco WLC, see 

Please note that this does not support Radius NAC (ISE NAC) so no ISE posture and CoA might not work properly, either.

Hi @hslai 

I checked link that you provided but  it seems to be 802.1x AND MAB. My client wants it to be like FlextAuth when 802.1x is not available, it will failover to MAB.

Is that possible in wireless?

Thanks

You are correct it's not exactly like the wired flexauth. In my experience, we always create separate WLANs for different security settings, as most clients move from one Wi-Fi network to another fairly easily. On the client side, we either do not configure security at all or do it with the matching parameters.

I've not tried myself but the others found it working in some use cases.

MAC Authentication Failover to 802.1X says,

Configuring MAC Authentication Failover to 802.1X Authentication

You can configure the controller to start 802.1X authentication when MAC authentication with static WEP for the client fails. If the RADIUS server rejects an access request from a client instead of deauthenticating the client, the controller can force the client to undergo an 802.1X authentication. If the client fails the 802.1X authentication too, then the client is deauthenticated.

If MAC authentication is successful and the client requests for an 802.1X authentication, the client has to pass the 802.1X authentication to be allowed to send data traffic. If the client does not choose an 802.1X authentication, the client is declared to be authenticated if the client passes the MAC authentication.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: