Solved: Am I running Dot1x or MAB?

Kasper Elsborg · ‎08-15-2022

Hi Community.

I have manage to configure ISE to run 802.1x on the wired side. But when It comes to wireless, I am in doubt.

The ISE live log suggest that the certificate is matched aginst AD, and EAP-TLS is up and running.

But the "sh authen sess int gi x/x/x detail" is showin MAB authentication?

labsw2#sh authentication sessions interface gi1/0/14 details 
            Interface:  GigabitEthernet1/0/14
               IIF-ID:  0x12185ADD
          MAC Address:  0811.96f0.f660
         IPv6 Address:  fe80::94cd:3ed2:7003:d4f6
         IPv4 Address:  192.168.4.105
            User-Name:  08-11-96-F0-F6-60
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
  Acct update timeout:  86400s (local), Remaining: 80860s
    Common Session ID:  C0A802FB00000036A13DA646
      Acct Session ID:  0x00000011
               Handle:  0x3400002c
       Current Policy:  POLICY_Gi1/0/14


Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
         Idle timeout: 65536 sec

Server Policies:


Method status list:
       Method           State
        dot1x           Stopped
          mab           Authc Success

----------------------------------------

            Interface:  GigabitEthernet1/0/14
               IIF-ID:  0x109BCB50
          MAC Address:  e4aa.5d68.a2b0
         IPv6 Address:  fe80::e6aa:5dff:fe68:a2b0
         IPv4 Address:  192.168.4.115
            User-Name:  E4-AA-5D-68-A2-B0
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
  Acct update timeout:  86400s (local), Remaining: 62833s
    Common Session ID:  C0A802FB00000021A02A7AB3
      Acct Session ID:  0x00000005
               Handle:  0xce000017
       Current Policy:  POLICY_Gi1/0/14


Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
         Idle timeout: 65536 sec

Server Policies:


Method status list:
       Method           State
        dot1x           Stopped
          mab           Authc Success

labsw2#

MAC addr on the win10 client is:0811.96f0.f660

WIFI is configured for WPA2-Enterprise AES

When running wired I get 802.1x

labsw2#sh authentication sessions interface gi1/0/3 details  
            Interface:  GigabitEthernet1/0/3
               IIF-ID:  0x17123B16
          MAC Address:  0021.cc72.70d9
         IPv6 Address:  fe80::4467:5437:a836:5a0a
         IPv4 Address:  192.168.2.231
            User-Name:  Kasper@Area51.local
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
  Acct update timeout:  86400s (local), Remaining: 86377s
    Common Session ID:  C0A802FB00000042A196013A
      Acct Session ID:  0x00000021
               Handle:  0xcd000038
       Current Policy:  POLICY_Gi1/0/3


Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure

Server Policies:
              ACS ACL: xACSACLx-IP-Area51-Domain-Admins-62f517cf
            SGT Value:  3


Method status list:
       Method           State
        dot1x           Authc Success

labsw2#

So what am I running in the wireless interface?

Br. Kasper

Kasper Elsborg · ‎08-15-2022

I found it. on the vWLC under clients. it clearly says 802.1x

View solution in original post

thomas · ‎08-15-2022

Please see our recent ISE Webinar which is archived on our CiscoISE YouTube Channel for

▶ Securing Cisco Catalyst Wireless with ISE using mPSK / iPSK / 802.1X

01:56 Methods for Securing Catalyst Wireless
03:12 Wireless Pre-Shared Keys Scenario
03:35 Demo Configuration Review
03:58 VLANs & SVIs
04:29 WLANs: guest, iot, corp
05:21 guest WLAN Config
05:57 iot WLAN Config with Pre-Shared Key
06:50 AAA RADIUS Config
09:08 AAA Advanced Config: Interim Updates, Called-Station-ID
12:04 Wireless Access Policies
14:49 Tags (default-policy-tag)
16:38 AP Name & Configuration
18:34 Demo: Guest SSID Test with iPad
19:43 Demo: iot Pre-Shared Key
20:48 ISE LiveLogs & Guest WiFi Policy
23:32 IOT WiFi Policy
25:34 Called-Station-ID in LiveLog Details
27:23 mPSK_IOT Authorization Profile
29:31 Demo: IOT Pre-Shared Key with Raspberry Pi Endpoint Profile
33:11 mPSK Overview
35:48 Demo: mPSK Configuration
40:04 mPSK_RaspberryPi Authorization Profile
42:47 iPSK Overview
43:58 iPSK Manager : Open Source project, not TAC supported!
45:28 Demo: Endpoint Custom Attributes
47:18 Demo: iPSK with Endpoint Attributes
48:23 iPSK_EndpointAttribute Authorization Profile using Endpoint Attributes
50:26 802.1X Overview
53:08 Supplicant Configuration
54:15 Demo: 802.1X corp WLAN for Employees with a Certificate

View solution in original post

georgehewittuk1 · ‎08-15-2022

Misread your output - Why are you running that command on the switch to check the wireless DOT1X is working is that the WLC/AP port? The WLC is where you will validate the AAA as it would be the authenticator. Looks like wireless is using EAP TLS and working with no problems though.

Kasper Elsborg · ‎08-15-2022

hi georgehewittuk1

Thanks for thaking the time

yes the AP is connected to 1/0/14 on the sw, and I'm running the command because... well I can so seeing the supplicant ip and mac was present in the sw, led to the question of why it's listed as MAB, when the live log states dot1x.

But I guess the MAB comes from the actual AP, and the dot1x is running inside the capwap?

Is there a way to see the dot1x is running on the vWLC, as on the sw with the cmd?

Br. Kasper

Kasper Elsborg · ‎08-15-2022

I found it. on the vWLC under clients. it clearly says 802.1x

georgehewittuk1 · ‎08-16-2022

That's the one good work!

thomas · ‎08-15-2022

Please see our recent ISE Webinar which is archived on our CiscoISE YouTube Channel for

▶ Securing Cisco Catalyst Wireless with ISE using mPSK / iPSK / 802.1X

01:56 Methods for Securing Catalyst Wireless
03:12 Wireless Pre-Shared Keys Scenario
03:35 Demo Configuration Review
03:58 VLANs & SVIs
04:29 WLANs: guest, iot, corp
05:21 guest WLAN Config
05:57 iot WLAN Config with Pre-Shared Key
06:50 AAA RADIUS Config
09:08 AAA Advanced Config: Interim Updates, Called-Station-ID
12:04 Wireless Access Policies
14:49 Tags (default-policy-tag)
16:38 AP Name & Configuration
18:34 Demo: Guest SSID Test with iPad
19:43 Demo: iot Pre-Shared Key
20:48 ISE LiveLogs & Guest WiFi Policy
23:32 IOT WiFi Policy
25:34 Called-Station-ID in LiveLog Details
27:23 mPSK_IOT Authorization Profile
29:31 Demo: IOT Pre-Shared Key with Raspberry Pi Endpoint Profile
33:11 mPSK Overview
35:48 Demo: mPSK Configuration
40:04 mPSK_RaspberryPi Authorization Profile
42:47 iPSK Overview
43:58 iPSK Manager : Open Source project, not TAC supported!
45:28 Demo: Endpoint Custom Attributes
47:18 Demo: iPSK with Endpoint Attributes
48:23 iPSK_EndpointAttribute Authorization Profile using Endpoint Attributes
50:26 802.1X Overview
53:08 Supplicant Configuration
54:15 Demo: 802.1X corp WLAN for Employees with a Certificate

Kasper Elsborg · ‎08-16-2022

Thank you thomas!

Br. Kasper