Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
629
Views
7
Helpful
7
Replies

Cisco APs MAB

Leonardo Santana
Spotlight
Spotlight

‎08-13-2024 05:19 AM


Hi,

What´s is the best way to authenticate the APs in flexconnect? MAB or NEAT?

Version: Cisco ISE 3.3

Regards
Leonardo Santana

*** Rate All Helpful Responses***
0 Helpful
7 Replies 7

M02@rt37
VIP
VIP

‎08-13-2024 05:30 AM

Hello @Leonardo Santana 

Even with the additional complexity introduced by CISP, NEAT remains the better option for authenticating APs in a FlexConnect environment due to its superior security and network integrity (scalability also). MAB might still be used in environments where simplicity is more critical than security, but for production networks, particularly those that are sensitive to security and scalability, NEAT is the recommended approach.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Leonardo Santana
Spotlight
Spotlight
In response to M02@rt37

‎08-15-2024 05:53 AM

Hi,

Thanks for your answer, our customer just want to configure the APs with MAB. This config below will work?

interface gigax/x
description ">_MERAKI_LAN<"
switchport trunk encapsulation dot1q
switchport trunk allowed vlan x,x,x,x,x
switchport mode trunk
switchport nonegotiate
authentication control-direction in
authentication host-mode multi-host
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
logging event trunk-status
logging event bundle-status
load-interval 30
duplex full
ip dhcp snooping trust

If the AP is in Flex Connect mode, local switching, then an additional configuration has to be made on the switch interface to allow multiple MAC addresses on the port, since the client traffic is released at the AP level : 

authentication host-mode multi-host

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217848-configure-802-1x-supplicant-for-access-p.html

 

Regards
Leonardo Santana

*** Rate All Helpful Responses***
0 Helpful

M02@rt37
VIP
VIP
In response to Leonardo Santana

‎08-16-2024 01:45 AM - edited ‎08-16-2024 01:45 AM

Hello @Leonardo Santana 

It looks fine.

And yes, since the AP is in FlexConnect mode with local switching, it's crucial to allow for multiple MAC addresses on the port... which you've done with authentication host-mode multi-host.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

ahollifield
VIP
VIP

‎08-13-2024 09:00 AM

100% depends on the organization's security policies.  You can also enable a local supplicant on the AP:  https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217848-configure-802-1x-supplicant-for-access-p.html

MHM Cisco World
VIP
VIP

‎08-13-2024 09:17 AM

According to Ciscolive I reviewed before MAB is good for auth AP.

MHM

Massimo Baschieri
Level 3
Level 3
In response to MHM Cisco World

‎08-13-2024 09:10 PM

Flexconnect exposes all the mac addresses for the wireless hosts to the switch port, how do you manage this with mab? 

ahollifield
VIP
VIP
In response to Massimo Baschieri

‎08-13-2024 10:35 PM

You don't.  Most of my customers exclude FlexConnect APs from authentication (it's a trunk port after all).  The other way is to use Smart Port Macros.

Customers Also Viewed These Support Documents