Solved: Re: Switch config for ports with dot1x and MAB at same time - auth ord

babalao · ‎05-01-2024

Hello,

I almost always see this command as best practice authentication order dot1x mab , but sometimes I see this as best practice authentication order mab dot1x.

The priority is always this: authentication priority dot1x mab

-when I have PC (dot1x) and IP Phone (MAB) on the same port what do you recommend?

-Why would I use one orden over the other?

-And what do you guys use normally in these situations? what is your real world experience?

Thank you very much

Regards

Rob Ingram · ‎05-02-2024

@babalao I traditionally use the defaults, 802.1X first before MAB. This works well in scenarios where a PC is plugged in behind a Phone. Ensure the authentication timers settings are not excessive as this can cause DHCP to timeout on some MAB devices. https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

This guide covers explains the different order/priority scenarios and the points to consider when changing the order/priority. https://www.cisco.com/c/dam/en/us/support/docs/ios-nx-os-software/identity-based-networking-service/flexible_authentication.pdf

View solution in original post

balaji.bandi · ‎05-02-2024

Best practice i suggesting using as below - since if you use MAB that is not secure at all - if dot1x fails then use MAB for non supplicant supported devices.

The priority is always this: authentication priority dot1x mab

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Rob Ingram · ‎05-02-2024

@babalao I traditionally use the defaults, 802.1X first before MAB. This works well in scenarios where a PC is plugged in behind a Phone. Ensure the authentication timers settings are not excessive as this can cause DHCP to timeout on some MAB devices. https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

This guide covers explains the different order/priority scenarios and the points to consider when changing the order/priority. https://www.cisco.com/c/dam/en/us/support/docs/ios-nx-os-software/identity-based-networking-service/flexible_authentication.pdf

balaji.bandi · ‎05-02-2024

Best practice i suggesting using as below - since if you use MAB that is not secure at all - if dot1x fails then use MAB for non supplicant supported devices.

The priority is always this: authentication priority dot1x mab

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Shivesh Mishra · ‎01-17-2025

Hello,

I'm looking forward to expert advice here.

Currently we've configured switch ports for MAB based authentication. And we're planning to move to dot1x.

As part of testing whenever we're changing the "authentication order" and "authentication priority" to dot1x from MAB (current setup) and generating a new authentication session the switchport goes into drop state.

When doing sh mac addresses int gi0/x

We can see Mac address and port status as "drop".

Aref Alsouqi · ‎01-18-2025

Could you please try to shutdown the port, change the configs, and then unshut it?

Shivesh Mishra · ‎01-20-2025

Hello,

Thanks for the suggestions.

Tried it but still the same problem. Port goes into drop state.

MHM Cisco World · ‎01-20-2025

Make new post please

MHM

Aref Alsouqi · ‎01-20-2025

You're welcome. What device type are you trying to authenticate/authorize via dot1x? a PC or a phone? also, could you please share your sanitized configs from the RADIUS server and the switch port for review?

Shivesh Mishra · ‎01-22-2025

Hello,

We're trying to authenticate windows PCs via dot1x. Supplicant is already configured on system end.

Below is the port configuration :

interface GigabitEthernet0/19

switchport access vlan xxx

switchport mode access

switchport voice vlan zzz

switchport port-security maximum 2

authentication event server dead action authorize vlan xxx

authentication event server alive action reinitialize

authentication host-mode multi-host

authentication order mab

authentication priority mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate 43200

authentication timer inactivity 3600

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dotlx pae authenticator

dotlx timeout server-timeout 30

dotlx timeout tx-period 10

dotlx max-req 3

dotlx max-reauth-req 10

spanning-tree portfast edge

spanning-tree bpduguard enable

On Radius Server we've kept a simple straight config for testing purpose only as below -

EAP-Type : TLS (Accept)

Supplicant is configured accordingly on the system end.

Aref Alsouqi · ‎01-22-2025

Could you please try to remove the command "switchport port-security maximum 2" and also replace the "authentication host-mode multi-host" with "authentication host-mode multi-auth"?

Shivesh Mishra · ‎01-23-2025

Hello Aref,

Tried above suggestion, but still the same problem. Switchport goes into dropped state.

Aref Alsouqi · ‎01-25-2025

Hello Shivesh. Not really sure, I would think maybe the switch software is hitting some bugs, I don't know. I would try to look into the switch software release notes, and upgrade it to the latest recommended release.

MHM Cisco World · ‎05-02-2024

the different is
order dot1x mab <<- this not common in cisco doc. and the steps are
SW will try dot1x if failed then it try MAB, it is old fallback MAB auth

order mab dot1x <<- this list in flexAut cisco feature and it is New and the steps are
SW will detect any MAC and send to raduis and check auth with MAC, here the MAC must not list in radius, if this auth is failed then the SW start dot1x

why cisco use order auth order mab dot1x ?

because there is some device like printer request DHCP in first frame to SW if SW use first dot1x then try auth with MAB there is chance that this SW will not get IP.

Switch config for ports with dot1x and MAB at same time - auth order