ISE MAB/802.1x best practices with 3rd party Aruba/Procurve switch

jeilers1975 · ‎05-16-2018

Hi all, I am running into issues trying to use ISE with the ArubaOS-Switch (former Procurve devices.)

specifically, these switches do not have a concept like FlexAuth. They will send out MAB and 802.1x requests "at the same time" and often MAB will hit first. I have ISE configured to continue on MAB auth failure and to get restricted access if it isn't in endpoint store.

When a windows PC with the 802.1x supplicant configured for Machine auth is put on the network, the switch will send out a MAB auth and an 802.1x auth.

When this happens ISE handles it properly in that it will process the mab, then the 802.1x and succeed on 802.1x and assign the correct vlan. HOWEVER, the Process takes longer and when I look at the endpoint attributes and authentication I see it reporting auth type as MAD even though the live session shows 802.1x and the endpoints screen says MSCHAPv2.

So, I have 2 questions.

1: IS there any optimization I can do to ISE to get it to process the 802.1x faster? I assume a similar thing would happen if FlexAuth on a Cisco switch were configured for MAB before 802.1x with 802.1x being prioritized over MAB.

2: On the confusing endpoint attributes and other details. IS there some way to clean this up so that the out of date MAB session details are removed?

RichardAtkin · ‎05-25-2018

1. No. In cisco switches we can specify the 'order' and the 'priority', giving us all the flexibility you could want to manage situations like this. I do feel your pain though and it took me quite a lot of effort to get an acceptable solution working on some Procurve switches with ISE last year; newer software on the switches was a big help.

2. No - ISE usually just remembers/shows you as much as it can. You could purge the endpoint entirely after 'x' days which would delete all knowledge of it from ISE, but if you're doing anything like setting any static configs on the endpoint then this isn't really an option for you.