Solved: Client trying MAB first then dot1x

louis0001 · ‎10-18-2018

I'm wondering what I have wrong here. We have 802.1x clients trying MAB and registering a failed authentication on our NPS servers. The ports have a Cisco phone (authenticating via MAB) and a windows 10 PC (authenticating using dot1x)

Policy order on the NPS server:
MAB (for phones)
dot1x (for pc's)

Port config is:

interface GigabitEthernet1/0/6
description PORT 1 OFFICE 1
switchport mode access
switchport voice vlan 250
authentication event fail retry 0 action authorize vlan 100
authentication event server dead action authorize vlan 200
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 100
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

I believe that the 802.1x client will send an eapol message which will prioritise the dot1x so it's possible the client will try MAB first but will switch to dot1x upon the eapol frame being received.

I'm wondering if this is what is causing the MAB authentication failure being logged eg MAB failing before dot1x authenticates?

Am I missing any obvious timer etc in the above config?

Should I change the NPS order?

Aravind Ravichandran · ‎10-18-2018

Read the following document. It will give you some good examples:

Flexible Authentication Order, Priority, and Failed Authentication

Change the policy order as dot1x & mab. Also change this authentication order dot1x mab in port configuration.

Thanks,

Aravind

-Aravind

View solution in original post

Aravind Ravichandran · ‎10-18-2018