Solved: Re: Disable MAB on DOT1X port

Darkmatter · ‎07-13-2020

Is it a good practice to disable, thus removing MAB on a switch port that you know to have hosts that should be doing DOT1X only? Like Windows 10 clients for instance.

Or is there a good and valid reason to keep MAB on the switch port config?

Mike.Cifelli · ‎07-13-2020

My two cents: IMO this is a preference, but more importantly a requirements thing. If you are confident that the supplicant is good to go on all clients to support 8021x, and wish to not have a fallback mechanism in place then go for it. Some customers like having MAB should 8021x get terminated for whatever reason. MAB can allow you to configure some sort of restricted access, but enough access for you to still have insight on them. Obviously from a security standpoint MAB is less secure and there are mechanisms out there to spoof addresses. However, in contrary there are other L2 security solutions that could be deployed to aide in those issues. I suppose something else to consider would be the fact that now you would need to determine what specific ports need 8021x only, versus other ports that may have old school printers that will require MAB. IMO that requires additional admin overhead, and loses any type of mobility. Again though, not fully aware of your environment and/or requirements. Good luck & HTH!

View solution in original post

Mike.Cifelli · ‎07-13-2020

My two cents: IMO this is a preference, but more importantly a requirements thing. If you are confident that the supplicant is good to go on all clients to support 8021x, and wish to not have a fallback mechanism in place then go for it. Some customers like having MAB should 8021x get terminated for whatever reason. MAB can allow you to configure some sort of restricted access, but enough access for you to still have insight on them. Obviously from a security standpoint MAB is less secure and there are mechanisms out there to spoof addresses. However, in contrary there are other L2 security solutions that could be deployed to aide in those issues. I suppose something else to consider would be the fact that now you would need to determine what specific ports need 8021x only, versus other ports that may have old school printers that will require MAB. IMO that requires additional admin overhead, and loses any type of mobility. Again though, not fully aware of your environment and/or requirements. Good luck & HTH!