Re: Increasing performance for MAB

rezaalikhani · ‎08-02-2023

Hi all;

One of my customer uses an IP-based CCTV that does not support dot1X. So, they implemented MAB for that type of devices. The problem is that, when the port comes up, sometimes the CCTV device allocates itself its default IP address (in my case, 192.168.1.13) and so its network connection brokes. Now my question is, is it possible to optimize the MAB performance so the device authentication and DHCP DORA operation goes faster?

Thanks

Rob Ingram · ‎08-02-2023

@rezaalikhani in most deployments 802.1X is prioritised over MAB authentication, MAB would only start after the 802.1X timeout expires, if the timeout is too long this would cause an issue with some devices acquiring an IP address. You could decrease the dot1x timeout and max-reauth values or prioritise MAB over 802.1X on the interfaces.

Refer to the Authentication Timer Settings - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

rezaalikhani · ‎08-02-2023

Thanks for your reply;

I have only configured MAB method on interfaces that CCTV devices connect.

Rob Ingram · ‎08-02-2023

@rezaalikhani is the MAB process taking a longtime to complete then? If a device is connected to the switchport which is configured to perform MAB only, then there should be no delay waiting for 802.1X to timeout and ISE should receive and process the request straight away. Perhaps take a packet capture to determine how long it takes to receive the access-accept from ISE.

Arne Bier · ‎08-02-2023

Please share the output of the "show run interface xxx" and "show derived interface xxx"

MAB is instantaneous as soon as the first Ethernet frame is received on the interface. There should be no delay in getting that request to ISE. If ISE is not over a satellite link or some slow connection then the response times should be in tens of milliseconds.

If you have Primary and Secondary RADIUS servers configured in a Group, then check if both are responsive. You should have a holdtimer configured to keep any non-responsive server down for X number of minutes (to prevent repeated delays)

andrewswanson · ‎08-02-2023

Is the CCTV device directly connected to and powered by the switchport? I've seen some setups where CCTV devices (usually external to the building) were aggregated on unmanaged switches. These devices could be powered on with their ethernet interfaces in the up state regardless of the state of the upstream switchport.

Leo Laohoo · ‎08-02-2023

I see this happening all the time. For example, a power outage at a site. A Cisco switch takes about 5 minutes before the management IP address can be pinged. However, some wired clients take less than 4 minutes to boot up. When a MAB client boots up before the switch, the software inside will "wait" for the network. After a certain amount of time it will "revert" to it's old self.

When this happens, we would tell the clients at the site to reboot their printer and the MAB would kick in. We reported this issue to our printer vendor who, after a few years later, were able to furnish a software upgrade to our printers.

I would like to put it out there that our printer vendor, due to the contract (which stipulates that if the printer does not work we will not pay), were very eager to get paid. This does not apply to vendors who already got their money and have gone off to Jamaica.