Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


MAB Authentication with no response

Hi All,

I am configuring MAB authentication for IBMS devices(some buliding infra devices) but MAB was not getting triggered.

I tried using the following solution as well,

it says I should changed control-direction to inbound "dot1x control-direction in", that let the MAB work. By applying this interface level command I can see that session is getting authorized but still I can not ping the devices.

Can someone exactly confirm whats the issue over here and how to resolve?

My config on port is as follows,


int ten1/1/9

switchport mode access

authentication host-mode single-host

authentication port-control auto

authentication violation restrict

authentication control-direction in





Hi Robert,

I was checking the use of this command and came across with this statement saying

" The caveat to this method is that an SVI must exist on every switch in every VLAN where

Windows clients who run DHCP reside."

and In my setup, mostly edge switches are running on layer 2 purely. SVIs are created on core switches where routing is done. so wondering if this command will still supports and the purpose can be achieved?



Cisco Employee


The command still applies. I have used this command with "use svi" and built a local svi on the edge switch just for this reason. The ip device tracking uses arp to resolve the ip address. Some device dont respond like others. By using the use svi command you source it directly from the edge switch. I know it's a pain to build an svi for each vlan that is using static IPs but it may be the only way. Try it on one and let us know the outcome.

Sent from Cisco Technical Support Android App


The customer use case (detailed below) is essentially MAB for protected devices on specific ports to one server and all other ports would point to a separate server. Is this something that could be accomplished via SANet? This would of course require them to upgrade all affected access switches assuming what Hsing-Tsu mentioned below is true and we're limited to 3650/3850 today.

You can have different RADIUS servers for for dot1x and MAB when you use identity policy (SANet).

You can create two policies doing the same thing (eg MAB) but use different RADIUS servers.

You would then have a different policy attached to the port groups in question.