Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
576
Views
3
Helpful
3
Replies

Switch config for ports with dot1x and MAB at same time - auth order

Go to solution
babalao
Spotlight
Spotlight

‎05-01-2024 06:03 PM

Hello,

I almost always see this command as best practice authentication order dot1x mab , but sometimes I see this as best practice authentication order mab dot1x.

The priority is always this: authentication priority dot1x mab

-when I have PC (dot1x) and IP Phone (MAB) on the same port what do you recommend?

-Why would I use one orden over the other?

-And what do you guys use normally in these situations? what is your real world experience?

Thank you very much

Regards

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-02-2024 12:16 AM

@babalao  I traditionally use the defaults, 802.1X first before MAB. This works well in scenarios where a PC is plugged in behind a Phone. Ensure the authentication timers settings are not excessive as this can cause DHCP to timeout on some MAB devices. https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

This guide covers explains the different order/priority scenarios and the points to consider when changing the order/priority. https://www.cisco.com/c/dam/en/us/support/docs/ios-nx-os-software/identity-based-networking-service/flexible_authentication.pdf

 

View solution in original post

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-02-2024 12:25 AM

Best practice i suggesting using as below - since if you use MAB that is not secure at all - if dot1x fails then use MAB for non supplicant supported devices.

The priority is always this: authentication priority dot1x mab

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎05-02-2024 12:16 AM

@babalao  I traditionally use the defaults, 802.1X first before MAB. This works well in scenarios where a PC is plugged in behind a Phone. Ensure the authentication timers settings are not excessive as this can cause DHCP to timeout on some MAB devices. https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

This guide covers explains the different order/priority scenarios and the points to consider when changing the order/priority. https://www.cisco.com/c/dam/en/us/support/docs/ios-nx-os-software/identity-based-networking-service/flexible_authentication.pdf

 

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-02-2024 12:25 AM

Best practice i suggesting using as below - since if you use MAB that is not secure at all - if dot1x fails then use MAB for non supplicant supported devices.

The priority is always this: authentication priority dot1x mab

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
MHM Cisco World
VIP
VIP

‎05-02-2024 12:28 AM

the different is 
order dot1x mab <<- this not common in cisco doc. and the steps are 
SW will try dot1x if failed then it try MAB, it is old fallback MAB auth

order mab dot1x <<- this list in flexAut cisco feature and it is New and the steps are 
SW will detect any MAC and send to raduis and check auth with MAC, here the MAC must not list in radius, if this auth is failed then the SW start dot1x 

why cisco use order auth order mab dot1x ?

because there is some device like printer request DHCP in first frame to SW if SW use first dot1x then try auth with MAB  there is chance that this SW will not get IP.

Customers Also Viewed These Support Documents