10-01-2020 07:59 AM
Hi
I just want to find out if this is normal as it is a pain to the troubleshoot devices that hits my deny policy as every Dot1x sessions has a MAB failed session then a Dot1x session permit session.
My switch config does specify to use Dotx1 first then MAB
"policy-map type control subscriber DOT1X-CONFIG
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20 "
If I looks at the live radius logs, the machine first tries Mab then after a few split seconds its does Dot1x.
10-01-2020 08:13 AM - edited 10-01-2020 08:15 AM
Cisco does not recommend running MAB and Dot1x in parallel. Set Dot1x as priority, then failover to MAB. Best practice is to ensure the 802.1x timeout period is no more than 30 seconds.
Refer to the Secure Wired Access Prescriptive guide below, for the recommended IBNS 2.0 configuration and timeout settings.
HTH
HTH
10-01-2020 08:54 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: