Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
4212
Views
15
Helpful
2
Replies

802.1X and MAB

Go to solution
MrBeginner
Spotlight

‎02-20-2020 05:54 PM

Hi,

I am confuse in 802.1x authentication and MAB authentication.Please correct me?

  • 802.1x and MAB cannot use together in one authentication profile ,correct ?

I mean  if one device is connected to network  ;

check    MAB ==> passed==>check 802.1x ===>Passed

if check MAB ==>fail ==>deny 

I cannot not use above method ?

 

  • ISE can detect automatically device type and OS type,correct ?

I want to do if window 10 or computer ,use 802.1x authentication with cert.If it is printer and phone,use MAB.

can it be done ?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-20-2020 08:07 PM

You may also find that some guides for IBNS 2.0 CP3L authentication policy sets on switches contain simultaneous dot1x and MAB, and there is mixed reaction to this. In general it works fine, but I still don't think there is an official BU blessing to this being supported.

In general, you want to create two authentication policy sets for wired network access, one that leverages the pre built condition for MAB, and another that leverages the pre built condition for dot1x. Because these two policy sets match different criteria, they will match what the network device / endpoint are participating in.

You configure the supplicants on your windows machines to perform dot1x authentication. This should be active, you should ideally be doing this through active directly GPO, and leveraging the certificate enrollment features AD provides.

Typical configuration will have the switch attempt to perform dot1x with endpoints that don't have a supplicant configured, they will not respond to the switch eapol messages, and the switch will fail over to performing MAB. This is usually how headless and devices such as printers are authentication. We often use profiling to determine what the devices are, then send a COA from ISE if we are able to gather enough information to the point where the endpoint switch profiles.

You can profile endpoints to determine the OS version quite accurately for Windows machines assuming you have profiling set up correctly. ISE can perform the lookups to AD, and AD is the accurate source of truth for Windows OS versions. NMAP is a passive method for detecting OS version, but I wouldn't rely on it for windows versions.

View solution in original post

2 Replies 2

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-20-2020 06:45 PM

Basically, there is a priority that is configurable on the switch for which authentication protocol is tried first, MAB or 802.1x.

I would suggest reviewing the following guide for more information on the underlying technology and best practices:

ISE Secure Wired Access Prescriptive Deployment Guide 

 

Cheers,

Greg

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-20-2020 08:07 PM

You may also find that some guides for IBNS 2.0 CP3L authentication policy sets on switches contain simultaneous dot1x and MAB, and there is mixed reaction to this. In general it works fine, but I still don't think there is an official BU blessing to this being supported.

In general, you want to create two authentication policy sets for wired network access, one that leverages the pre built condition for MAB, and another that leverages the pre built condition for dot1x. Because these two policy sets match different criteria, they will match what the network device / endpoint are participating in.

You configure the supplicants on your windows machines to perform dot1x authentication. This should be active, you should ideally be doing this through active directly GPO, and leveraging the certificate enrollment features AD provides.

Typical configuration will have the switch attempt to perform dot1x with endpoints that don't have a supplicant configured, they will not respond to the switch eapol messages, and the switch will fail over to performing MAB. This is usually how headless and devices such as printers are authentication. We often use profiling to determine what the devices are, then send a COA from ISE if we are able to gather enough information to the point where the endpoint switch profiles.

You can profile endpoints to determine the OS version quite accurately for Windows machines assuming you have profiling set up correctly. ISE can perform the lookups to AD, and AD is the accurate source of truth for Windows OS versions. NMAP is a passive method for detecting OS version, but I wouldn't rely on it for windows versions.
Customers Also Viewed These Support Documents
Top