Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2983
Views
5
Helpful
6
Replies

Is there a priority for MAB and 1X in ISE authentication?

Go to solution
JustTakeTheFirstStep
Level 4
Level 4

‎02-13-2020 09:48 PM - edited ‎02-21-2020 11:13 AM

I'm testing my wireless authentication.

You have set policies for MAB and 1X.

 

rule1.png

Rule1 = MAB
Rule2 = 1X

 

Like the ACL, i know that policies are applied from top to bottom.

Wireless authentication performs 1X authentication after MAB authentication in order.

 

rule1_1.png

 

This is as I wish.

 

However, if you change the rule order, only 1X authentication is performed.

 

Why not perform the MAB certification of Rule1 when the order is changed?

 

rule2.png

Rule2 = 1X
Rule1 = MAB

 

rule2_1.png

 

Is 1X authentication a higher priority than MAB?

Why not perform the MAB certification of Rule1 when the order is changed?

 

Preview file
11 KB
Preview file
12 KB
Preview file
13 KB
Preview file
12 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-13-2020 10:04 PM

The order in which this occurs is set on the network device proxying the authentication. If you set a switch to perform 802.1x first, it will. If you set the same switch to perform MAB first, it will.

Now, if a switch is configured for both MAB and Dot1x, and the switch sees an eapol start frame, it will start dot1x with the client.

The order of your two authentication policy sets are irrelevant because they contain different flows. They are treated top down, but only if they match on the same criteria. Authorization rules within the policy set specific to MAB or dot1x are very important because of this but again come down to matching criteria first. In order to hit #1 you have to be doing MAB, in order to hit #2, you have to be doing dot1x. So again, this comes back to the network device configuration.

View solution in original post

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to JustTakeTheFirstStep

‎02-18-2020 09:37 PM

You can't authenticate an endpoint with MAB on an 802.1x secured Wireless SSID. If the SSID is configured for 802.1x, the endpoint must authenticate using an 802.1x authentication method (PEAP, EAP-TLS, etc).

Unlike Wired switches, there is no concept of falling back to a MAB authentication if 802.1x fails for Wireless.

You can only authenticate an endpoint with MAB when using an Open or PSK (requires WLC 8.3 code or newer) SSID.

 

Cheers,

Greg

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-13-2020 10:04 PM

The order in which this occurs is set on the network device proxying the authentication. If you set a switch to perform 802.1x first, it will. If you set the same switch to perform MAB first, it will.

Now, if a switch is configured for both MAB and Dot1x, and the switch sees an eapol start frame, it will start dot1x with the client.

The order of your two authentication policy sets are irrelevant because they contain different flows. They are treated top down, but only if they match on the same criteria. Authorization rules within the policy set specific to MAB or dot1x are very important because of this but again come down to matching criteria first. In order to hit #1 you have to be doing MAB, in order to hit #2, you have to be doing dot1x. So again, this comes back to the network device configuration.

Go to solution
JustTakeTheFirstStep
Level 4
Level 4
In response to Damien Miller

‎02-17-2020 12:04 AM

Can switches set the authentication order?
Thank you for your reply.
But the infra here is wireless authentication in PC - WLC - ISE sequence.
Can you answer me again using wireless authentication as an example, not authentication on Switch
And please reply more easily. I'm using a translator.
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to JustTakeTheFirstStep

‎02-17-2020 07:34 AM

Sorry my bad, I completely glossed over the wireless piece because this is typically a wired question. For completion sake since people may find this in the future, on a switch when doing wired authentication you do this one of two ways.
1. With IBNS 1.0, you set the order directly on the switchport
2. With IBNS 2.0, you set the order in your control policy, which the policy then gets applied to the port.

On wireless, it's a bit different. The WLAN config dictates if the clients+WLC will do 802.1x or MAC filtering.
Typically the WLAN will be configured for WPA2 - 802.1x or MAC Filtering but usually not both. I would say it is not very common for WLANs to be configured for both, and it's not like a switch where you do one then the other. If you enable both on the same WLAN then the endpoints would need to be configured for 802.1x still.

There are two common use cases for MAC filtering on a WLAN.
1. Guest with an open SSID and web redirect
2. iPSK, where you define separate pre shared keys for different groups of predefined mac addresses in ISE. This mixes MAC filtering, wpa2, and PSK for the security mode. But it does not include 802.1x.

What are you trying to accomplish?
0 Helpful

Go to solution
JustTakeTheFirstStep
Level 4
Level 4
In response to Damien Miller

‎02-18-2020 09:04 PM

The current MAB rule is Permit if the client's MAC exists in the endpoint group.

But I would like to know why 1X authentication is Rule 1 and MAB authentication is Rule2 and does not go through MAB authentication.

Is there a problem?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to JustTakeTheFirstStep

‎02-18-2020 09:37 PM

You can't authenticate an endpoint with MAB on an 802.1x secured Wireless SSID. If the SSID is configured for 802.1x, the endpoint must authenticate using an 802.1x authentication method (PEAP, EAP-TLS, etc).

Unlike Wired switches, there is no concept of falling back to a MAB authentication if 802.1x fails for Wireless.

You can only authenticate an endpoint with MAB when using an Open or PSK (requires WLC 8.3 code or newer) SSID.

 

Cheers,

Greg

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to JustTakeTheFirstStep

‎02-21-2020 02:35 PM

Rule 1 has the condition on Wireless MAB so only authentications matching that will report hits. The same goes for Rule 2 on Wireless 802.1X.

0 Helpful
Customers Also Viewed These Support Documents