cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
213
Views
3
Helpful
3
Replies

Switch config for ports with dot1x and MAB at same time - auth order

babalao
Spotlight
Spotlight

Hello,

I almost always see this command as best practice authentication order dot1x mab , but sometimes I see this as best practice authentication order mab dot1x.

The priority is always this: authentication priority dot1x mab

-when I have PC (dot1x) and IP Phone (MAB) on the same port what do you recommend?

-Why would I use one orden over the other?

-And what do you guys use normally in these situations? what is your real world experience?

Thank you very much

Regards

 

2 Accepted Solutions

Accepted Solutions

@babalao  I traditionally use the defaults, 802.1X first before MAB. This works well in scenarios where a PC is plugged in behind a Phone. Ensure the authentication timers settings are not excessive as this can cause DHCP to timeout on some MAB devices. https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

This guide covers explains the different order/priority scenarios and the points to consider when changing the order/priority. https://www.cisco.com/c/dam/en/us/support/docs/ios-nx-os-software/identity-based-networking-service/flexible_authentication.pdf

 

View solution in original post

balaji.bandi
Hall of Fame
Hall of Fame

Best practice i suggesting using as below - since if you use MAB that is not secure at all - if dot1x fails then use MAB for non supplicant supported devices.

The priority is always this: authentication priority dot1x mab

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

3 Replies 3

@babalao  I traditionally use the defaults, 802.1X first before MAB. This works well in scenarios where a PC is plugged in behind a Phone. Ensure the authentication timers settings are not excessive as this can cause DHCP to timeout on some MAB devices. https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

This guide covers explains the different order/priority scenarios and the points to consider when changing the order/priority. https://www.cisco.com/c/dam/en/us/support/docs/ios-nx-os-software/identity-based-networking-service/flexible_authentication.pdf

 

balaji.bandi
Hall of Fame
Hall of Fame

Best practice i suggesting using as below - since if you use MAB that is not secure at all - if dot1x fails then use MAB for non supplicant supported devices.

The priority is always this: authentication priority dot1x mab

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

the different is 
order dot1x mab <<- this not common in cisco doc. and the steps are 
SW will try dot1x if failed then it try MAB, it is old fallback MAB auth

order mab dot1x <<- this list in flexAut cisco feature and it is New and the steps are 
SW will detect any MAC and send to raduis and check auth with MAC, here the MAC must not list in radius, if this auth is failed then the SW start dot1x 

why cisco use order auth order mab dot1x ?

because there is some device like printer request DHCP in first frame to SW if SW use first dot1x then try auth with MAB  there is chance that this SW will not get IP.