11-19-2018 12:17 PM
One of the advantages of using the CPL (IBNS 2.0) style template is you have the option to run MAB and Dot1x simultaneously. This means closed mode is not as detrimental to MAB devices or you can do VLAN moves in open mode without the worry of devices getting an IP on the original VLAN.
I have had Cisco Advanced Services tell some of my customers "We don't recommend doing MAB and Dot1x at the same time because we have seen issue." I like generic descriptions like that. When I had the customer press AS for what issues, the only thing they came back with is that is adds extra load to ISE. Yes there is extra load because all Dot1x sessions will have a MAB authentication, but I have deployments doing 100k+ active authentications doing all CPL switch templates with no issues.
I am just checking to see if others are running MAB and Dot1x simultaneously and what their experience has been. Our standard is to run them simultaneously at our customers and we haven't had a reason to change it.
Solved! Go to Solution.
05-20-2019 06:55 AM
Paul, thanks for the data points. Will let you know of any findings.
02-25-2020 01:15 AM
Hi Paul,
I am facing the issue with CPL, its always prefer to MAB and not performing Dot1x. I want to authorize my AD user . but i am unable to do dot1x authentication and authorization. Could you please help, where I am doing wrong.
current config on switch:
class-map type control subscriber match-any AAA-DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative
!
ip access-list extended ACL-ALLOW
permit ip any any
!
service-template CRITICAL
access-group ACL-ALLOW
!
policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
event authentication-failure match-all
10 class AAA-DOWN do-all
10 authorize
20 activate service-template CRITICAL
30 terminate dot1x
40 terminate mab
20 class DOT1X-FAILED do-all
10 authenticate using mab
!
interface range g2/0/24
switchport host
switchport access vlan 100
service-policy type control subscriber DOT1X-DEFAULT
authentication periodic
authentication timer reauthenticate server
mab
access-session host-mode multi-auth
dot1x timeout tx-period 10
access-session port-control auto
!
Logs from ISE:-
My Authorization Profile is fine, its Access_Accept there. Moreover, If I am sending Radius packet from switch then its authenticating and authorized: Test aaa group radius usename@ad.com Password new-code
User successfully authenticated
USER ATTRIBUTES
username 0 "username@ad.com"
tunnel-type 1 13 [vlan]
tunnel-medium-type 1 6 [ALL_802]
tunnel-private-group 1 "IT"
Event | 5434 Endpoint conducted several failed authentications of the same scenario |
Failure Reason | 15039 Rejected per authorization profile |
Resolution | Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results. |
Root cause | Selected Authorization Profile contains ACCESS_REJECT attribute |
Steps happening in this process:
11001 | Received RADIUS Access-Request | |
11017 | RADIUS created a new session | |
11027 | Detected Host Lookup UseCase (Service-Type = Call Check (10)) | |
15049 | Evaluating Policy Group | |
15008 | Evaluating Service Selection Policy | |
15048 | Queried PIP | |
15041 | Evaluating Identity Policy | |
15048 | Queried PIP | |
15013 | Selected Identity Source - Internal Endpoints | |
24209 | Looking up Endpoint in Internal Endpoints IDStore - 00:50:56:5D:D5:2A | |
24211 | Found Endpoint in Internal Endpoints IDStore | |
22037 | Authentication Passed | |
24715 | ISE has not confirmed locally previous successful machine authentication for user in Active Directory | |
15036 | Evaluating Authorization Policy | |
24432 | Looking up user in Active Directory - 00:50:56:5D:D5:2A | |
24325 | Resolving identity | |
24313 | Search for matching accounts at join point | |
24318 | No matching account found in forest | |
24322 | Identity resolution detected no matching account | |
24352 | Identity resolution failed | |
24412 | User not found in Active Directory | |
15048 | Queried PIP | |
15016 | Selected Authorization Profile - DenyAccess | |
15039 | Rejected per authorization profile | |
11003 | Returned RADIUS Access-Reject | |
5449 | Endpoint failed authentication of the same scenario several times and was rejected | |
5434 | Endpoint conducted several failed authentications of the same scenario |
12-19-2019 09:04 PM
I am also using simultaneous dot1x and MAB - ever since it was advertised from the 2015 Cisco Live IBNS2 presentation, and I also see no issues with this. In our case MAB is always faster than EAP-TLS but our policy gives dot1x higher priority so always takes over the MAB result immediately. ISE correctly shows both authentications as separate - why wouldn't it?? i have seem no evidence to the claims above.
Having said that we have had no end of issues with IBNS2 on various platforms since 3560X/4500E-Sup8 and now onto 9300 with 16.x. When I first started logging cases with TAC there was almost ZERO TAC knowledge and it was incredibly frustrating. We had one issue where windows machines kept falling to Unauthorized after reauthentication and I ended up just dropping it as the support was so poor.
Several years on and we are still refining our policy but do not have inactivity timers or reauthentication working properly so they are disabled. The inactivity probes seem to have broken in 16.x and not fixed.
Paul are you able to share any details of your policies? I would be interested to see how you handle reauthentication. Ideally once a host has authenticated with 802.1x we shouldn't need to reauthenticate with both MAB and dot1x.
02-27-2020 05:46 AM
Paul, in your reply you had posted the following snippet:
event session-started match-all 10 class always do-all 10 authenticate using dot1x priority 10 20 authenticate using mab priority 20
In the solution I'm testing, I had:
event session-started match-all 20 class always do-until-failure 10 authenticate using mab priority 20 20 authenticate using dot1x priority 10
I'm attempting to understand the subtleties of these two pieces of code, and I would appreciate any feedback.
1) For the class statement, the number used as the priority doesin matter, because the class is the only class in the event.
2) In the class statement, "do-all" means do each of these things once, but "do-until-failure" means what, exactly? How does it tie in with the various timers and retries for both methods? Does one make more sense than the other? "do-all" vs "do-until-failure"?
3) Incide the class clause, there are two statements (10, and 20), I'm guessing the numbers relate to the ORDER in which the two methods are attempted (similar to the deprecated "authentication order" command), so your example is basically "authentication order dot1x mab", and mine is "authentication order mab dot1x".
4) in both your example and mine, the pre IBNS equivalent is "authentication priority dot1x mab"
5) later in my example, I also have:
event authentication-failure match-first 5 class DOT1X_FAILED do-until-failure 10 terminate dot1x 20 authentication-restart 60 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 10 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 20 authorize 30 pause reauthentication 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure 10 pause reauthentication 20 authorize 30 class MAB_FAILED do-until-failure 10 terminate mab 20 authenticate using dot1x retries 2 retry-time 0 priority 10
I altered the priority of the dot1x method in the MAB_FAILED clause to match that of the previous session-started caluse, not really sure it matters, but it looks consistent.
02-27-2020 02:36 PM
fitzie I found an answer to at least point 2 of your post here: http://www.network-node.com/blog/2017/10/7/ise-c3pl-switch-configuration
10 class always do-all <- Matches everything after a session starts and do all the actions
10 authenticate using dot1x priority 10 <- Action is to authenticate using dot1x with a priority of 10
20 authenticate using mab priority 20 <- Action is to authenticate using MAB with priority of 20 - making it a lower priority than a successful dot1x authentication if both were to pass authentication.
03-01-2020 08:36 PM - edited 03-01-2020 08:38 PM
You switched the ORDER
Yours
10 class always do-all 10 authenticate using dot1x priority 10 20 authenticate using mab priority 20
Mine:
10 class always do-all 10 authenticate using mab priority 20 /* (higher ORDER - 10, lower PRIORITY - 20) 20 authenticate using dot1x priority 10 /* (lower ORDER - 20, higher PRIORITY - 10)
I want MAB to process first, but stop immediately if a dot1x supplicant is detected. I believe yours will always process dot1x first, and that is a problem for some of my phones.
10-31-2019 02:01 PM
I would add that Meraki has an option for hybrid auth and explains that this option sends both mab and dot1x at the same time. If the BU isn't supporting this, you need to talk to the Meraki team about removing the hybrid auth option. I have done a lot of testing an noticed the mab request always lands on ISE first as the switch is negotiating dot1x with the client, I have not been able to reproduce any issues on ISE when doing MAB/Dot1x at the same time. I have played with decreasing dot1x timer's to replicate this but be more in line with what Cisco supports. Setting dot1x timer tx-period 3 and the retry to 1 or even tx-period to 1 and retry to 1 allows the fail over to mab to work quickly. I use the event agent-found to re-start dot1x if we failed and mab succeeded.
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
event authentication-failure match-first
10 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
This should provide the same result as running them both at the same time and takes care of clients that are not ready to answer the switch eapol start at boot time.
11-01-2019 03:52 AM
Hello Chris
unless u've intentionally didnt show full config of "class always" shouldnt it look similar to below for the concurrent .1x&mab authen? specifically it's about appearance of 2 "authenticate" statements one for each method?
10 class always do-until-failure
10 authenticate using mab aaa authc-list PSN-FOR-MAB authz-list PSN-FOR-MAB priority 20
20 authenticate using dot1x aaa authc-list PSN-FOR-DOT1X authz-list PSN-FOR-DOT1X priority 10
11-02-2019 03:58 PM
I don't have all my config in the post but the config you posted up is the issue with this entire post. Cisco say sending dot1x and mab at the same time is not supported and Cisco ISE is designed to drop the session when multiple auths are seen at the same time from the same session. To get the benefits of sending both at the same time where we don't see issues around time out's my suggestion is to set the dot1x timeout tx-period to 1 or 3 and the retries to 1. In the policy we run dot1x only, but on a dot1x fail we then run mab. This configuration has worked well and allows computers that are in boot time and being woken up from a sleep timer to correctly join the network as well as mab device to never time out on dhcp request.
I was doing what you have below, except normally the aaa auth dot1x default meets my requirements so I don't add a specified method to the policy map action, but it's doing the exact same thing. I really find it useful in the lab where we have both ClearPass and ISE running and can utilize that approach to use both. I have a few policy-maps and port templates that I use based on customer requirements and some of them run mab and dot1x at the same time, and I have never ever had an issue but as Cisco say's ISE doesn't support it an alternative method to accomplish the same thing is provided in my previous post.
01-18-2024 02:17 AM
Hello, Is the concurrent MAB + DOT1X now supported and if so, from which ISE version?
01-18-2024 05:25 AM
hi
it's not afaik, but read this article Concurrent MAB/Dot1x Again - Cisco Community to understand topic deeper.
i learnt from it that you either have to avoid endpoint suppression by multiple failures or use crafted AccessAccept as default rule in Wired MAB
Good luck
02-26-2020 11:25 AM - edited 02-26-2020 11:35 AM
Maybe I'm missing spmething. The statement to not run MAB and 802.1x exclusively might be something I'm misinterpreting.
In our network, we've been running gazillions of devices, each of which run either MAB or 802.1X authentication. The most common MAB devices are printers and AVAYA VoIP phones. The vast majority or our PCs are running 802.1x. We have both Macs and PCs, so we utilize EAP/TLS.
We've attempted to standardize our access ports, so that there is but one official configuration for an access port. Pre IBNS (say v3.7.4E), we used following for most ports
interface gi1/0/1
decsription generic 802.1x enabled access port
switchport access vlan 10
switchport mode access
switchport voice vlan1 110
authentication event fail action next-method authentication event server dead action authorize authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server mab dot1x pae authenticator dot1x timeout tx-period 10 no mdix auto spanning-tree portfast spanning-tree bpduguard enable ip dhcp snooping limit rate 20
Oftentimes, a phone would be plugged into a switch port, and a PC would be plugged into the phone. Things worked reasonably well, but we had an issue with one particular model of Avaya phone, which would often have issues booting whenever we moved the device. As long as it could get the same IP address, it was fine, but repovision it off of an other switch, and it would never complete it's configuration.
With the introduction of first IBNS when we upgraded to 16.3.7, and later C3PL when we upgraded to 16.6.6, we're finding that these same phones simple will not boot, even when they are not moved.
In playing around with some of the auto-generated policy-maps that were generated in the 16.6.6 upgrade, we started with the following policy map:
policy-map type control subscriber DOT1X-MAB event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x retries 5 retry-time 0 priority 10 event authentication-failure match-first 10 class DOT1X_NO_RESP do-until-failure 10 terminate dot1x 20 authenticate using mab priority 20 20 class MAB_FAILED do-until-failure 10 terminate mab 30 class DOT1X_FAILED do-until-failure 10 terminate dot1x 20 authenticate using mab priority 20 40 class AAA-DOWN do-all 10 authorize 20 activate service-template CRITICAL 30 terminate dot1x 40 terminate mab 50 class always do-until-failure 10 terminate dot1x 20 terminate mab 30 authentication-restart 300 event agent-found match-all 10 class always do-until-failure 10 terminate mab 20 authenticate using dot1x retries 5 retry-time 0 priority 10
This seemed to work well, but we found out otherwise when we upgraded a switch that had a lot of this particular model of phone. A coworker made soem changes and came up with the following policy-map:
policy-map type control subscriber MAB-DOT1X event session-started match-all 10 class always do-until-failure 10 authenticate using mab priority 10 event authentication-failure match-first 5 class DOT1X_FAILED do-until-failure 10 terminate dot1x 20 authentication-restart 60 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 10 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 20 authorize 30 pause reauthentication 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure 10 pause reauthentication 20 authorize 30 class MAB_FAILED do-until-failure 10 terminate mab 20 authenticate using dot1x retries 2 retry-time 0 priority 20 40 class DOT1X_NO_RESP do-until-failure 10 terminate dot1x 20 authentication-restart 60 60 class always do-until-failure 10 terminate mab 20 terminate dot1x 30 authentication-restart 60 event agent-found match-all 10 class DOT1X_MEDIUM_PRIO do-until-failure 10 authenticate using dot1x retries 2 retry-time 0 priority 20 event aaa-available match-all 10 class IN_CRITICAL_VLAN do-until-failure 10 clear-session 20 class NOT_IN_CRITICAL_VLAN do-until-failure 10 resume reauthentication event inactivity-timeout match-all 10 class always do-until-failure 10 clear-session event authentication-success match-all
This policy-map seems to work with some preliminary testing, but I don't see that the priorities are correct, so I've tweaked it a bit:
policy-map type control subscriber MAB-TEST event session-started match-all 20 class always do-until-failure 10 authenticate using mab priority 20 20 authenticate using dot1x priority 10 event authentication-failure match-first 5 class DOT1X_FAILED do-until-failure 10 terminate dot1x 20 authentication-restart 60 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 10 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 20 authorize 30 pause reauthentication 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure 10 pause reauthentication 20 authorize 30 class MAB_FAILED do-until-failure 10 terminate mab 20 authenticate using dot1x retries 2 retry-time 0 priority 10 40 class DOT1X_NO_RESP do-until-failure 10 terminate dot1x 20 authentication-restart 60 60 class always do-until-failure 10 terminate mab 20 terminate dot1x 30 authentication-restart 60 event agent-found match-all 10 class DOT1X_HIGH_PRIO do-until-failure 10 authenticate using dot1x retries 2 retry-time 0 priority 10 event aaa-available match-all 10 class IN_CRITICAL_VLAN do-until-failure 10 clear-session 20 class NOT_IN_CRITICAL_VLAN do-until-failure 10 resume reauthentication event inactivity-timeout match-all 10 class always do-until-failure 10 clear-session event authentication-success match-all
The changes are subtle. I explicitly added dot1x to the class always do-until-failure clause, and elevated the priority of dot1x to be higher (10) than that of mab (20).
I also reduced the priority of mab from 10 to 20 in the class MAB_FAILED do-until-failure clause.
I'm not 100% on either of the policy-maps, but in my mind, the MAB-TEST one seems more complete. Testing will continue. If anybody is a whiz at these newfangled uses of policy-maps, I would appreciate any feedback.
We have six PSNs, arranged in two mode groups, and we're servicing around 25K endpoints. We don't have an issue with load balancing. Looking at an F5 solution, but hardcoding a batch-size of 1800 seems to work for us.
Don't get me started on the docs that state that a batch-size greater than 25 is considered large. The field takes a value in the range of 1-2,147,483,647 (2**32)-1.
In any case, I think ISE performs just fine. My issue is with these particular Avaya handsets, which I'm stuck with for the time being, with no support. My wish is to have one port configuration that handles both MAB devices and 802.1x PCs, without subjecting the PC users to a lengthy delay when powering up/authenticating for the day.
I'm believe my wish is to initiate MAB upon sensing a MAC address, but if the device has a 802.1x supplicant, I want to belay that and immediately start 802.1x processing. It was easy to do before IBNS, and now there is a a more complicated global config, with the benefit of a slightly simpler interface config.
02-26-2020 12:10 PM
To clarify, running both a MAB and dot1x authentication at the same time for the same endpoint is the piece that is questionable on support. Having both methods enabled on a port is 100% supported, it is the combined and joint kickoff of both that simultaneously refers to.
With IBNS 1, you would specify either MAB or dot1x to start first, you can still do this in IBNS 2, but IBNS 2 can also be configured to run both concurrently for the same endpoint.
See this
https://community.cisco.com/t5/network-access-control/cpl-template-mab-dot1x-simultaneously/td-p/3749539
02-27-2020 01:27 PM - edited 02-27-2020 03:09 PM
Just to add a note for something I recently discovered... while Concurrent Auth is not technically understood or supported by ISE (as Hsing has confirmed), I have used it successfully in my lab and some customer environments with newer switching platforms (Cat 3650/3850 or newer).
I also found recently that a mechanism used to prevent reauthentications breaking FlexAuth (order mab dot1x, priority dot1x mab) in the Legacy IBNS framework also works to make the Concurrent Auth more efficient for dot1x-enabled endpoints. See this old Whitepaper for background:
Flexible Authentication Order, Priority, and Failed Authentication
The behaviour of the typical Concurrent Auth config is similar to that of FlexAuth Case 2 in the above whitepaper (order MAB Dot1x, priority Dot1x MAB). When a reauth is triggered, the switch will try MAB first then Dot1x and the ISE logs will reflect that. If you add the Advanced Attribute Cisco av-pair stated in the footnote of the whitepaper (termination-action-modifier=1) to the AuthZ Profile used by your dot1x endpoints (like SOE PCs), when a reauth is triggered (does not apply to a new session by disconnect/reconnect) the switch will only try the last successful auth method (in this case, dot1x). This results in more efficient reauths and much fewer erroneous MAB sessions/logs.
I've tested this using a Cat9300 running 16.9.4 code, but it should also work with the Cat3650/3850 switches.
Example before:
Example after:
Cheers,
Greg
04-10-2020 12:33 PM
For MAB/Dot1x to run simultaneously is Multi-Auth required vs Multi-Domain on the Switch port?
I'm seeing an enormous amount of through out our Enterprise:
Apr 10 12:10:10.095 PDT: %DOT1X-5-FAIL: Authentication failed for client (0018.7d14.5152) on Interface Gi5/37
Apr 10 12:10:10.135 PDT: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet5/37, new MAC address (0018.7d14.5152)
Apr 10 12:10:11.119 PDT: %DOT1X-5-FAIL: Authentication failed for client (0018.7d13.7279) on Interface Gi5/34 A
I want to use multi-domain however this issue goes away when I use multi-auth. I have a TAC case open but I feel like since Multi-Domain only allows 1 Data MAC/ 1 Voice MAC when both dot1x/mab are running its causing the security violation for the 2nd DATA MAC. I'm seeing this only on ports where MAB devices are connected, the 801.1x ports are solid.
Yes I turnoff port-security so that not the reason for the violations:
no switchport port-security maximum 3
no switchport port-security violation restrict
no switchport port-security aging time 2
no switchport port-security aging type inactivity
no switchport port-security
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide