Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

jithu murickal

HOST PC Trying for MAB authentication instead of dot1x




  Host PCs are trying to authenticate with MAB instead of dot1x. after two failed attempts in MAB, then a fallback happening to dot1x. 

Priority and order for authentication is dot1x then mab. 


So there is a huge failed attempts happening and lot authentication message to server make the CPU utilization high. Kindly throw some idea tp avoid MAB authentication for host PCs (dot1x supplicant )..



Thank you,




The config on the switch does not affect the actual PC. It tells the switch what order to attempt to authenticate with. Let's go back to basics, as it's always helpful:

If the switch is configured correctly with 802.1x (.1x for short), and you have correctly put in the command for dot1x mab, and all other configurations on the ports, etc. are correct, then the port will be "closed" except for LEAP/ EAPOL messages.

So, the PC will request access to the network. It will send an EAPOL msg with .1x request. The switch will forward the request msg in an EAPOL packet to the radius server, requesting access. The radius server will look up the request in SACS. If the device is entered correctly, and depending how the SACS is configured, it will poll AD for the correct .1x certificate. If it finds the correct .1x certificate, it will reply with an "you're ok" message. The switch will receive the message, and if ok, will allow normal traffic to flow across the port.


That's a down-and-dirty way to look at .1x.

The key is this: do ALL of your PC's have issues, or is it just one or two of them? If it's just one or two of them, then I'd suggest running the command show dot1x all [details | statistics | summary] You can also do it per port like show dot1x interface xxx. Great for troubleshooting, as well as the logs.

Again, though, if it's just one or two PC's, I'd make sure that the PC's are correctly configured for 802.1x authentication. I've seen that before. The PC was not configured for 802.1x, so the switch thought it was a MAB device, and immediately went to MAB. I'd bet your configuration allows for it to try it several times, then falls back to 802.1x.

Again, if it's one or two, but others are passing, then I'd say to focus on the PCs. Otherwise, confirm that your config on the PC's port is similar to others that are passing.



How is your authentication policy looking? 

Do you have a condition for wired 802.1x? Ours looks like this:



We also have a condition for wired mab:



Then we have profiled all the devices, and only devices that actually do 802.1x are allowed the condition "802.1x" if they fail back to mab - they fail. same vice versa! 

So we have 2 different rules, with different profiled devices selected for each. I´m still testing it, but it seems to be working! 

you will find the conditions in the conditions/authorization/compound conditions. and they are actually a cisco default condition. 


Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube