Solved: 802.1X and MAB

MrBeginner · ‎02-20-2020

Hi,

I am confuse in 802.1x authentication and MAB authentication.Please correct me?

802.1x and MAB cannot use together in one authentication profile ,correct ?

I mean if one device is connected to network ;

check MAB ==> passed==>check 802.1x ===>Passed

if check MAB ==>fail ==>deny

I cannot not use above method ?

ISE can detect automatically device type and OS type,correct ?

I want to do if window 10 or computer ,use 802.1x authentication with cert.If it is printer and phone,use MAB.

can it be done ?

Damien Miller · ‎02-20-2020

You may also find that some guides for IBNS 2.0 CP3L authentication policy sets on switches contain simultaneous dot1x and MAB, and there is mixed reaction to this. In general it works fine, but I still don't think there is an official BU blessing to this being supported.

In general, you want to create two authentication policy sets for wired network access, one that leverages the pre built condition for MAB, and another that leverages the pre built condition for dot1x. Because these two policy sets match different criteria, they will match what the network device / endpoint are participating in.

You configure the supplicants on your windows machines to perform dot1x authentication. This should be active, you should ideally be doing this through active directly GPO, and leveraging the certificate enrollment features AD provides.

Typical configuration will have the switch attempt to perform dot1x with endpoints that don't have a supplicant configured, they will not respond to the switch eapol messages, and the switch will fail over to performing MAB. This is usually how headless and devices such as printers are authentication. We often use profiling to determine what the devices are, then send a COA from ISE if we are able to gather enough information to the point where the endpoint switch profiles.

You can profile endpoints to determine the OS version quite accurately for Windows machines assuming you have profiling set up correctly. ISE can perform the lookups to AD, and AD is the accurate source of truth for Windows OS versions. NMAP is a passive method for detecting OS version, but I wouldn't rely on it for windows versions.

View solution in original post

Greg Gibbs · ‎02-20-2020

Basically, there is a priority that is configurable on the switch for which authentication protocol is tried first, MAB or 802.1x.

I would suggest reviewing the following guide for more information on the underlying technology and best practices:

ISE Secure Wired Access Prescriptive Deployment Guide

Cheers,

Greg

Damien Miller · ‎02-20-2020

You may also find that some guides for IBNS 2.0 CP3L authentication policy sets on switches contain simultaneous dot1x and MAB, and there is mixed reaction to this. In general it works fine, but I still don't think there is an official BU blessing to this being supported.

In general, you want to create two authentication policy sets for wired network access, one that leverages the pre built condition for MAB, and another that leverages the pre built condition for dot1x. Because these two policy sets match different criteria, they will match what the network device / endpoint are participating in.

You configure the supplicants on your windows machines to perform dot1x authentication. This should be active, you should ideally be doing this through active directly GPO, and leveraging the certificate enrollment features AD provides.

Typical configuration will have the switch attempt to perform dot1x with endpoints that don't have a supplicant configured, they will not respond to the switch eapol messages, and the switch will fail over to performing MAB. This is usually how headless and devices such as printers are authentication. We often use profiling to determine what the devices are, then send a COA from ISE if we are able to gather enough information to the point where the endpoint switch profiles.

You can profile endpoints to determine the OS version quite accurately for Windows machines assuming you have profiling set up correctly. ISE can perform the lookups to AD, and AD is the accurate source of truth for Windows OS versions. NMAP is a passive method for detecting OS version, but I wouldn't rely on it for windows versions.