Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
46945
Views
146
Helpful
30
Replies

CPL Template MAB/Dot1x Simultaneously

Go to solution
paul
Level 10
Level 10

‎11-19-2018 12:17 PM

One of the advantages of using the CPL (IBNS 2.0) style template is you have the option to run MAB and Dot1x simultaneously.  This means closed mode is not as detrimental to MAB devices or you can do VLAN moves in open mode without the worry of devices getting an IP on the original VLAN. 

 

I have had Cisco Advanced Services tell some of my customers "We don't recommend doing MAB and Dot1x at the same time because we have seen issue."  I like generic descriptions like that.  When I had the customer press AS for what issues, the only thing they came back with is that is adds extra load to ISE.  Yes there is extra load because all Dot1x sessions will have a MAB authentication, but I have deployments doing 100k+ active authentications doing all CPL switch templates with no issues. 

 

I am just checking to see if others are running MAB and Dot1x simultaneously and what their experience has been.  Our standard is to run them simultaneously at our customers and we haven't had a reason to change it.

3 people had this problem
30 Replies 30

Go to solution
andy!doesnt!like!uucp
Spotlight
Spotlight
In response to mitchp75

‎04-11-2020 01:32 AM

hi
1) concurrent MAB/Dot1x authen has nothing to do with host-mode.
2) we prefer to use multi-auth where possible.
Customers Also Viewed These Support Documents