Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1264
Views
0
Helpful
1
Replies

C3PL IBNS2.0 MAB

awinslade
Level 1
Level 1

‎10-14-2020 02:35 AM

Hi 

 

Depending on what you read is is suggested that Dot1x AUTH and MAB can be made to operate concurrently thus getting MAB devices to authenticate to the network quicker.

 

So far I have not been able to prove to myself that this is actually taking place? Some discussions pages actually suggest running MAB first and then wait for  the EaPOL start from the client to initiate the dot1x process. 

 

Has anyone got to hand a best practice document for speeding up the MAB process and or a flow chart diagram on how the 9k range of switches evaluate and process the example policy below?

 

Best regards

Andy

 

 

 

policy-map type control subscriber SR-DOT1X-POL
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
event authentication-failure match-first
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
20 class MAB_FAILED do-until-failure
10 terminate mab
20 authenticate using webauth parameter-map WEBAUTH_FALLBACK priority 30
30 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 terminate webauth
40 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 terminate webauth
30 authenticate using dot1x priority 10

 

 

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎10-14-2020 03:24 AM

I think doing the concurrent auth is not a good idea because the result is that one method will work, and the other will fail - that means that in the RADIUS server you will see a lot of authentication failures - which is not nice. I don't think it's possible to have MAB AND 802.1X succeeding for every client device. Therefore in my opinion it makes sense to do them in series. And the preference is to do 802.1X first if possible, because the assumption is that most of your client device have a supplicant. In some cases you MUST do MAB first, because of some devices that stop doing DHCP by the time MAB has kicked in (e.g. some older Avaya phones, from personal experience).

The timing should be a case of setting the EAP timeout and retry values. I don't have a good handle on this myself, but perhaps the ISE Wired Prescriptive Guide goes into more detail.

c9300-Sw(config-if)#dot1x timeout tx-period 7
c9300-Sw(config-if)#dot1x max-reauth-req 3

Have a play with these timer values.

 

 

0 Helpful
Customers Also Viewed These Support Documents