Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
7685
Views
7
Helpful
3
Replies

Dot1X timers and MAB

Go to solution
SMD28316
Level 1
Level 1

‎06-21-2021 12:34 PM

When configuring Do1X we can configure timers like this:

dot1x timeout quiet-period 300
dot1x timeout tx-period 5
dot1x max-reauth-req 1

But how do we configure timers for MAB authentication? Does it use the same values as Dot1X?

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-21-2021 12:42 PM - edited ‎06-21-2021 12:43 PM

the authentication happens based on the order like 802.1x then MAB, so 802,1X then wait for time out, then go to MAB, if that fails it wait for retry timer.

 

some information may help you :

 

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html#wp9000135

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-21-2021 12:42 PM - edited ‎06-21-2021 12:43 PM

the authentication happens based on the order like 802.1x then MAB, so 802,1X then wait for time out, then go to MAB, if that fails it wait for retry timer.

 

some information may help you :

 

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html#wp9000135

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-27-2021 03:41 PM

MAB typically happens after 802.1X retries and timeouts:

image.png

See ISE Secure Wired Access Prescriptive Deployment Guide for best practice settings including timers:

 

IBNS 1.0 interface Configuration for Monitor Mode

interface GigabitEthernet1/0/1
 description ** Endpoints and Users **
 switchport access vlan 100
 switchport mode access
 switchport voice vlan 101
 device-tracking attach-policy IPDT_POLICY
 authentication host-mode multi-auth
 authentication open
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity server dynamic
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 spanning-tree portfast

 

IBNS 2.0:

 

interface GigabitEthernet1/0/1
 description ** Endpoints and Users ** 
 switchport access vlan 100
 switchport mode access
 switchport voice vlan 101
 device-tracking attach-policy IPDT_POLICY
 authentication periodic
 authentication timer reauthenticate server
 access-session port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 spanning-tree portfast
 service-policy type control subscriber POLICY_Gi1/0/1

 

Top