Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
791
Views
1
Helpful
4
Replies

Dot1x Client Authentication With Mab fallback method

ifabrizio
Level 3
Level 3

‎03-06-2024 07:38 AM

Dear All,

I have configured a test switch port, with Dot1x and Mab as fallback authentication.

I connected a new PC that is not know by the ISE, with no certificates, so the Dot1x do not works.

I aspect that the MAB auth should not allow PC access to the network cause the PC is unknow.

I also modify the Default Authentication roule with setting:

If auth fail = Reject

If user not found = Reject

If proccess fails = Drop

But after few second the ISE accept the new PC and grant access to the network, using the Default MAB auth roule:

Authentication Policy Default >> MAB
Authorization Policy Default >> Basic_Authenticated_Access
Authorization Result PermitAccess

Could you help pls?

Best regards,

JF

0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎03-06-2024 09:28 AM

Which dB you use for check endpoint?

Can I see the SW port config 

MHM

0 Helpful

ifabrizio
Level 3
Level 3
In response to MHM Cisco World

‎03-06-2024 11:32 PM

Hi MHM,

I use internal database.

The port is configured in this way:

interface GigabitEthernet10/32
description LABTEST
switchport access vlan 75
switchport mode access
switchport nonegotiate
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree guard root
end

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎03-06-2024 09:45 AM

there are couple elements involved and how they configured, right from switch port and ISE config.

check below guide example :

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ifabrizio
Level 3
Level 3

‎03-13-2024 12:30 AM

Dear All,

Finally I found the problem.

In the ISE Default Authorization Policy was missing a Policy that deny to the Unknow devices to grant access to the Network.

such as:

Identity Group-Name Equals EnndPoint Identity Groups:Unknow Results = Deny Access.

Bye,

JF.

0 Helpful
Customers Also Viewed These Support Documents