Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5903
Views
30
Helpful
4
Replies

Cisco ISE 2.3 - Authentication Order and Priority Commands

pgiouvanellis
Level 1
Level 1

‎11-22-2018 02:11 AM

Hello Everyone ,

 

I would like someone explain me what is the effect of the authentication order and priority commands .

 

In our enviroment we use the below commands on Switches : 

 

authentication order dot1x mab
authentication priority mab dot1x
authentication event fail action next-method

 

That i understand is that the switch tries to authenticate first using 802.1x and if auth fails tries to do MAB .

Is that right ? 

 

But what happens with endpoints that are not 802.1x capable( for example IP Phones, Printers , etc) ?

Does the Switch tries to perform 802.1x or it will try MAB authentication without 802.1x ?

 

In ISE reports for these devices i did not see any 802.1x logs but only MAB authentication attemps , is that right ? 

 

Thank You,

Palaiologos  

0 Helpful
4 Replies 4

Surendra
Cisco Employee
Cisco Employee

‎11-28-2018 07:14 AM

authentication order dot1x mab ---> this means that the switch will try dot1x first and if the device is not capable or does not respond, it will fall back to mab.
authentication priority mab dot1x ---> this means that mab will be preferred over dot1x. for example, if the dot1x capable machine did not respond to the initial attempt of the switch to perform dot1x, then it would fall back to mab. Now in this state, if the dot1x capable machine tries to perform dot1x, then switch will not perform dot1x authentication instead it will stick to the mab session.

authentication event fail action next-method ---> this means that if dot1x authentication fails for a capable device, switch will perform mab as a fallback method.

abdelrhman.gehad
Level 1
Level 1
In response to Surendra

‎03-08-2022 02:29 AM

Can you help me for meaning this command ?

authentication open 

authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab

 

 

thank you 

Abood_ss

ammahend
VIP
VIP
In response to abdelrhman.gehad

‎03-08-2022 05:51 AM

authentication open 

any new MAC address detected on the port will be allowed unrestricted Layer 2 access to the network even before any authentication has succeeded. If you use this command, you should use static default ACLs to restrict Layer 3 traffic

 

authentication port-control auto

Start authentication when the link state changes from down to up state.


authentication periodic

Enable the reauthentication and inactivity timer for the port. 


authentication timer reauthenticate server

To specify the period of time to reauthenticate the authorized port and to allow the reauthentication timer interval (session timer) to be downloaded to the switch from the RADIUS server.


mab

Enable mac address authentication. This method is used to authenticate printer, scanner, camera and other “dumb” devices.

-hope this helps-
Customers Also Viewed These Support Documents