Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
597
Views
0
Helpful
7
Replies

802.1X Failing, Context Visibility Misidentifying Devices

alal
Level 1
Level 1

‎08-15-2025 10:50 AM

Hello Dears,

Some Windows machines are being authenticated via MAB instead of 802.1X, even though all prerequisites appear to be in place. What could be the possible reasons for this behavior?

Additionally, in some cases, the RADIUS logs show user authentication failures, which causes the endpoints to fall back to MAB. However, in Context Visibility, the same MAC address is being identified as a printer. This suggests that the Context Visibility feature might not be functioning as expected.

Has anyone else observed a similar issue? Any insights or suggestions would be greatly appreciated.

0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎08-15-2025 10:58 AM

@alal why are the devices failing 802.1X authentication? what do the logs say? what authentication method is used? do the endpoints trust ISE'S EAP certificate?

You are possibly not receiving enough information on the endpoints to accurately profile them. What profiling probes are configured on ISE and the NADS (switches/wlc)?

https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456

 

0 Helpful

alal
Level 1
Level 1
In response to Rob Ingram

‎08-15-2025 12:32 PM

at ISE end DHCP, HTTP, RADIUS, NMAP, DNS, SNMPQUERY and Active Directory are checked and at SW side DHCP, LLDP and CDP is configured.

0 Helpful

Rob Ingram
VIP
VIP
In response to alal

‎08-15-2025 01:08 PM

@alal so device sensor is configured on the swich, are those attributes actually collected and sent to ISE when the device is profiled by ISE?

What is the certainty factor assigned to the endpoint? Provide screenshots of the attributes section for the endpoint in ISE (obsecure any sensitive if you are concerned).

Why are the devices failing 802.1X authentication? what do the logs say? what authentication method is used? do the endpoints trust ISE'S EAP certificate?

0 Helpful

MHM Cisco World
VIP
VIP

‎08-15-2025 10:58 AM - edited ‎08-15-2025 11:00 AM

1- share config of SW interface 

2- share profilling your ISE use to detect printer 

3- share live log detail from ISE when endpoint failed to authc 

4-in SW share 

Debug dot1x all 

Debug radius all 

5- screenshots of policy you use in ISE

MHM

0 Helpful

Dustin Anderson
VIP Alumni
VIP Alumni

‎08-15-2025 10:59 AM

if you have a dual port, IE 802.1x and MAB. Depending on settings it will try 802.1x and if no response from the client, will then try MAB once it times out. Usually about 2 minutes. There can be multiple factors.

Do you see an 802.1x attempt then a MAB attempt? or just MAB? If just MAB the device is not doing 802.1x and should verify it is enabled.

0 Helpful

alal
Level 1
Level 1
In response to Dustin Anderson

‎08-15-2025 12:36 PM

802.1X fails for the device, and it falls back to MAB. Context Visibility shows the MAC profiled as a printer, which seems incorrect.

0 Helpful

Dustin Anderson
VIP Alumni
VIP Alumni
In response to alal

‎08-15-2025 12:44 PM

ok, so it is trying 802.1x and failing? Does your rule depend on the profiling? Such as needing to be a windows device?

If you use wireshark's OUI lookup tool on the fist 6 of the mac, what does it think it is?

https://www.wireshark.org/tools/oui-lookup.html 

0 Helpful
Customers Also Viewed These Support Documents