08-28-2024 10:16 PM - edited 08-28-2024 10:19 PM
Hello,
We install cisco ise 3.2 and sometimes randomly in radius log we can see that PC/workstation run MAB and it was deny than for a few minutes run 802.1x and autheticatin is succesful.
Windows is update, i event log of machine I cound't find anything.
We use EAP-TLS,
does anybody have that problem or idea how to solve.
thank you
08-28-2024 11:45 PM
Hello @faruk.zaimovic
MAB is typically used as a fallback mechanism for devices that do not support 802.1X, like printers or IP phones. However, when you see a Windows machine, which should be using 802.1X, attempting MAB first, it suggests that the initial 802.1X authentication attempt failed or did not occur as expected. After the MAB attempt fails, the machine eventually tries 802.1X again and succeeds with EAP-TLS, indicating that the machine is capable of authenticating correctly but might be encountering initial connectivity issues or delays in starting the 802.1X process.
If there are network connectivity issues or if the port is flapping (constantly going up and down), it might cause the Windows machine to revert to MAB as it temporarily loses network connectivity or doesn’t complete the 802.1X authentication in time.
Also, there might be a delay in the 802.1X supplicant starting up or attempting to authenticate after the network interface becomes active. This delay could cause the switch to fall back to MAB...
If there is a problem with the certificate or the configuration of the EAP-TLS profile on the machine, it could cause the initial 802.1X attempt to fail, leading to MAB. Once the issue is resolved (like a delay in accessing the certificate store), the 802.1X authentication could succeed.
Since you didn’t find relevant information in the event logs, consider enabling detailed logging for the Windows 802.1X supplicant. This might give more insight into why the initial 802.1X attempt fails or is delayed. Review the ISE authentication logs for any patterns or specific errors associated with these events. Check the policies in ISE to ensure they are correctly configured to handle both 802.1X and MAB, and that the fallback behavior is appropriate.
08-29-2024 12:46 AM
Hello,
thank you very much for your answear. 802.1x is autheticaed succesufully and it works, but in randomly time it start MAB and policy delayed it, then it run 802.1x and it continue working normaly and it is happen in circle. i would like why pc run instead 802.1x. it is possible disable MAB in PC.
08-29-2024 12:59 PM
MAB is not something you can disable directly on a PC, as it’s a fallback mechanism that occurs on the network switch when 802.1X authentication fails or doesn't start promptly.
However, you can take steps to ensure that the PC prioritizes 802.1X and doesn't inadvertently cause the switch to fall back to MAB...
If you are certain that all devices connecting to a particular port will always support 802.1X, you can disable MAB on that switch port entirely. This will prevent the port from falling back to MAB, forcing it to wait for 802.1X authentication to succeed.
08-29-2024 12:01 AM
You use order and priority under the interface?
If yes make 802.1x first then mab
MHM
08-29-2024 12:38 AM
Hello,
i tried it, i have same problem. My conf of port
interface GigabitEthernet1/0/39
description KORISNICI
switchport access vlan 10
switchport mode access
authentication event fail action next-method
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 60
authentication timer inactivity 30
mab
dot1x pae authenticator
spanning-tree portfast
end
08-29-2024 01:13 AM
authentication order dot1x mab<<- only this need to change
authentication priority dot1x mab
08-29-2024 10:16 PM
Hello, i replace and it solve problem.
08-30-2024 02:12 AM
You are welcome
MHM
08-29-2024 01:16 AM
This problem does not relates to ISE. ISE only decides which policies to apply based on received information from NAD or the endpoint. Based on your config, try to change the "authentication order mab dot1x" command to "authentication order dot1x mab". But as a general consideration, updating the Operating System and also the NIC driver solves many occasional circumstances...
08-29-2024 07:19 AM
Sleep mode?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide