IBNS 2 and cisco ISE, windows machines auth with mab then Dot1x

rayyaanfayker0006 · ‎10-01-2020

Hi

I just want to find out if this is normal as it is a pain to the troubleshoot devices that hits my deny policy as every Dot1x sessions has a MAB failed session then a Dot1x session permit session.

My switch config does specify to use Dotx1 first then MAB

"policy-map type control subscriber DOT1X-CONFIG
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20 "

If I looks at the live radius logs, the machine first tries Mab then after a few split seconds its does Dot1x.

Rob Ingram · ‎10-01-2020

Hi @rayyaanfayker0006

Cisco does not recommend running MAB and Dot1x in parallel. Set Dot1x as priority, then failover to MAB. Best practice is to ensure the 802.1x timeout period is no more than 30 seconds.

Refer to the Secure Wired Access Prescriptive guide below, for the recommended IBNS 2.0 configuration and timeout settings.

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--1823767250

HTH

rayyaanfayker0006 · ‎10-01-2020

The issue with not running in paralle is that if a device does MAB like a phone, I going to have to wait 30 seconds before it connects