Solved: Default MAB authentication

aspry · ‎11-05-2019

Hello,

I note from logs that our WIFI users are authenticating via the Default MAB rule in the default policy set and then authenticating via a 802.1x rule created within a policy set I have created, which is further up in the policy sets.

If I disable the default MAB authentication rule within the default policy set the user then fails authentication in the 802.1x rule.

It appears that the user first uses MAB then 802.1x.

Is there a way around this, I only want users to authenticate in the Policy Set that I created and not use the default Policy Set.

Thanks

Andy

hslai · ‎11-08-2019

If you are using Cisco WLC, you might have the WLAN configured for MAC Authentication Failover to 802.1X.

You might want to take a look at this guide -- Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3

View solution in original post

varma10 · ‎11-05-2019

Try changing the order in authentication policy and give it a try.

ISE tried policies in sequential order. Also, for authentication failing via dot1x a quick view on the policy might give an idea.

JohnNewman7082 · ‎11-05-2019

Please share your auth rules to be sure your 802.1x rule does not have any coorelation with MAB.

Really though, wifi should only be doing MAB or dot1x, not both. If you want to use dot1x, please ensure MAC filtering is disabled on the wlan.

hslai · ‎11-08-2019

If you are using Cisco WLC, you might have the WLAN configured for MAC Authentication Failover to 802.1X.

You might want to take a look at this guide -- Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3