cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

87
Views
0
Helpful
2
Replies
Cisco Employee

ISE 2.4 -> is there any way to reduce auth time (timers) when using 802.1x and MAB together?

I'm wondering if I can build a policy for authentication that will perform dot1x first, give it five seconds or so as a window to successfuly pass 802.1x auth, and then if dot1x does not succeed in that time, start a MAB authentication transaction.

 

Here’s why:   My customer is using legacy-style authentication commands, which perform auth methods in sequence (dot1x first, then MAB).  The drawback there is that a device which authenticates via MAB always has to wait for dot1x to fail before it can authenticate; combined with the dot1x tx-period of 10 seconds they have set and the default of two retries, any MAB device has to wait a minimum of 30 seconds before it can join the network.  This is non-optimal and disruptive to other end users.

 

We’ve played around with C3PL Policy stuff in their lab before, and one of the big advantages seems to be that auth methods are processed in parallel rather than sequentially--you can set it up so both auth methods are run, and if both succeed, the device gets the authc/authz result of whichever one has the higher priority.  However, this also has a drawback in that dot1x-authenticated devices now have an additional check against MAB that they didn't before when the methods were processed in sequence, which means more transactions against ISE, more CPU consumed by the switch, etc.

 

The ’ASK’.

 

So, I am wondering if it's possible to craft a policy-map that gives a sort of "best of both worlds"--basically, give the supplicant device five seconds to do 802.1x before the MAB authentication check starts; if it has not started that transaction by five seconds, begin a MAB authentication transaction (while letting the 802.1x transaction continue to run in case it's an 802.1x device that's just running a bit slowly).  If the device passes 802.1x in that five seconds, don't start a MAB transaction.  Essentially, I am looking to realize some of the benefits of the parallel processing of authentication methods so devices can get authenticated and connected faster, but avoid the double transactions of starting both methods simultaneously

 

Does anyone know if there are any knobs that can be combined to result in this type of behavior?  I am not an ISE expert, but have used it for more typical use cases.

 

All tips, how to guides and general knowledge are appreciated.  Specifics would help greatly.

 

 

Thanks,

Rob
2 REPLIES 2
Participant

Re: ISE 2.4 -> is there any way to reduce auth time (timers) when using 802.1x and MAB together?

Most environments do just fine with a tx-period of 10 seconds and 2 retries.  You could reduce the tx-period to 2 and that would be a total of 6 seconds before failing over to MAB.  Also, if you set the priority to 802.1x with the command "authentication priority dot1x mab", then if it fails over to MAB and during MAB auth, the switch receives an EAPOL frame from the supplicant, it will immediately stop MAB and go back to 802.1x.  But if you reduce the timers too much, you could start to create other problems with 802.1x where the supplicant gives up and starts again while ISE is still processing the first request.  Realistically, a total of 15 seconds (tx-period 5) should be fine.  I can't imagine MAB devices or users complaining that much for 15 seconds.

Cisco Employee

Re: ISE 2.4 -> is there any way to reduce auth time (timers) when using 802.1x and MAB together?