cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

178
Views
0
Helpful
0
Replies
Highlighted
Beginner

dot1x with MAB fallback, fallback to slow for host to access network

Hello everyone,

 

I came across a problem while labbing a win10 host with a network access device in a virtual environment.

basically i have the NAD set to authenticate the win10 host with user credentials in the form of username and password and if that fails, which i purposely let it be,  to use MAB as a next method.

 

now i managed to change some of the config on the NAD to send the MAB , callcheck  method faster.

thx to this document https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/MAB/MAB_Dep_Guide.html#wp392563 , section Timers and Variables. but somehow after the MAB check passes the win10 host has already decided that the authentication failed and the connection wont be established even tho the MAB gives a green light.

 

I am thinking that either the MAB switchover is too slow, which i dont know if that will even be possible since i have set the minimum timers as how the document suggests it, and maybe that is not even the issue in the first case, or maybe the win10 host needs additional configuration to refresh itself if the second method passes.

 

Did anyone else come across this issue or did anyone manage to get a windows node working with mab fallback? all help is appreciated.

 

the switch is an IOSv and the config related to dot1x for the end node interface is:

interface GigabitEthernet0/0

switchport mode access

authentication event fail action next-method

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 1

dot1x max-reauth-req 1

 

EDIT, think i will not bother with this subject for now after some internet sites gave more knowledge about MAB its common use cases with DOT1X, some internet articles explained how MAB is being used after a NAD does not receive a response to the max configured Request-Identities for dot1x.

while debugging this in a virtual environment with a NAD, i saw that the NAD was not sending any eap request identity messages if the supplication is not configured for dot1x so yeah..