Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
581
Views
0
Helpful
3
Replies

False Positive / False Negative with 802.1x Performance

Go to solution
donbyers
Cisco Employee
Cisco Employee

‎12-07-2018 11:50 AM

Hello, has anyone ever done any tests around False Positive Rates and False Negative Rates with regard to 802.1x performance (particularly as it pertains the the metrics below)? Or any existing test cases or test methods you can share?  Also, if you have guidance for validating FNR/FPR from a posture perspective?  Any help would be greatly appreciated!

 

The Acceptable Quality Limit in the RFS from DHS:

<=.1% FPR of blocked connections; <=1% FNR of unblocked connections within a 30 day period as demonstrated in level 1, level 3 and/or OT&E test events.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to donbyers

‎12-10-2018 09:31 AM

In my experience,

I've never seen a HO False unless until it is a configuration mistake. (example authentication open configured) for scenario one.
The same goes with HO True for the second scenario.

The thing with dot1x is, it either works for sure or if doesn't work at all. There is no middle ground as such unless it is a software bug or changes made on the server w.r.t to the attributes pushed from ISE.

If the configuration is correct and it starts to work, it will continue to work.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎12-09-2018 01:59 PM

Can you please explain FNR and FPR in more detail?  I don't quite follow what this has to do with 802.1X in particular.

0 Helpful

Go to solution
donbyers
Cisco Employee
Cisco Employee
In response to Arne Bier

‎12-10-2018 08:46 AM

Sure - basically, with ISE:

1.  What percentage of 802.1X sessions that should have been authenticated successfully, were falsely blocked? (Type 1)

2.  And, what percentage of total allowed sessions, should have actually been blocked? (Type 2)

 

Decision

H0 True

HO False

Accept Device

Good, The device is authorized and is allowed

Type 2 Error - The unauthorized device is allowed on the network

Reject Device

Type 1 Error - The authorized device is blocked

Good, the device is not authorized and is not allowed

 

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to donbyers

‎12-10-2018 09:31 AM

In my experience,

I've never seen a HO False unless until it is a configuration mistake. (example authentication open configured) for scenario one.
The same goes with HO True for the second scenario.

The thing with dot1x is, it either works for sure or if doesn't work at all. There is no middle ground as such unless it is a software bug or changes made on the server w.r.t to the attributes pushed from ISE.

If the configuration is correct and it starts to work, it will continue to work.
0 Helpful
Top