07-21-2021 03:50 AM
Hi ,
I would like to ask about ISE.
can i do MAC authentication and username password or certification together in ISE ?
I mean our device firstly use MAC authentication and MAC is correct check the username and password or certificate. is it possible ?
I would like to do not only MAC authentication but also username password authentication.
Solved! Go to Solution.
08-06-2021 07:40 PM - edited 08-06-2021 07:41 PM
You may do MAC Authentication (MAB) OR you may do 802.1X (with a username+password or certificate).
These are 2 different methods and you cannot mix them.
802.1X authentication is superior to MAB because a MAC address may be spoofed, the user may have more than one device, or the device may randomize it's MAC address.
If you want to tie an authentication to a specific endpoint, you should use endpoint certificates with 802.1X.
07-21-2021 04:49 AM
- Normally it is not done that way, supplicant/dot1x protocols offer username based certification which is also much stronger , if it is implemented (mac addresses may be forged).
M.
07-21-2021 12:53 PM - edited 07-21-2021 12:53 PM
yes it can using flexauth
"Case 2: MAB First in Order but Higher Priority Assigned to 801.1X
If you change the order so that MAB comes before 802.1X and change the default priority so that 802.1X has higher priority than MAB, then every device in the network will still undergo MAB,. However, devices that pass MAB can subsequently authenticate via 802.1X. This enables a scenario where devices can get partial access to be assigned an IP address or begin a PXE boot, and so forth, after successful authentication via MAB and then get complete access after a successful 802.1X authentication. In this case, you can have 802.1X devices in your MAB database.
Pay attention to what happens if a device fails 802.1X after a successful MAB. First, the device will have temporary network access between the time MAB succeeds and 802.1X fails. What happens next depends on the configured event-fail behavior. If local web-auth is not configured, then the switch will return to the first method (MAB) after the configured interval (dot1x timeout quiet-period). MAB will succeed, the device will again have temporary access until and unless the supplicant tries to authenticate again. This behavior is supplicant-dependent. Some supplicants will stop attempting 802.1X after a certain number of failed attempts and some will continue indefinitely. If the supplicant stops attempting 802.1X altogether, the device will eventually end up with MAB-authorized access. If the supplicant continues to attempt 802.1X, the device will have intermittent access as it cycles between successful MAB and failed 802.1X."
07-21-2021 06:49 PM
Hi,
I would like to know my switch port authentication is double authentication.
Eg. MAC sticky + 802.1x with certificate or username/password. ( not mean MAC stick or 802.1x)
I want to do switch port check MAC firstly.If MAC is correct ,check 802.1x with certificate. I would like to do two step authentication.
let me know switch port can do one authentication in one time ?
Or can do both ?
07-21-2021 09:29 PM
Hi @MrBeginner ,
remember that the port-security command (switchport port-security mac-address sticky) is at Switch Level and the 802.1x is an ISE feature, that's why it's not recommended to use port-security with 802.1x.
Hope this helps !!!
08-06-2021 07:40 PM - edited 08-06-2021 07:41 PM
You may do MAC Authentication (MAB) OR you may do 802.1X (with a username+password or certificate).
These are 2 different methods and you cannot mix them.
802.1X authentication is superior to MAB because a MAC address may be spoofed, the user may have more than one device, or the device may randomize it's MAC address.
If you want to tie an authentication to a specific endpoint, you should use endpoint certificates with 802.1X.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide