I'm wondering what I have wrong here. We have 802.1x clients trying MAB and registering a failed authentication on our NPS servers. The ports have a Cisco phone (authenticating via MAB) and a windows 10 PC (authenticating using dot1x)
Policy order on the NPS server: MAB (for phones) dot1x (for pc's)
Port config is:
interface GigabitEthernet1/0/6 description PORT 1 OFFICE 1 switchport mode access switchport voice vlan 250 authentication event fail retry 0 action authorize vlan 100 authentication event server dead action authorize vlan 200 authentication event server dead action authorize voice authentication event no-response action authorize vlan 100 authentication event server alive action reinitialize authentication host-mode multi-domain authentication order mab dot1x authentication priority dot1x mab authentication port-control auto mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast spanning-tree bpduguard enable
I believe that the 802.1x client will send an eapol message which will prioritise the dot1x so it's possible the client will try MAB first but will switch to dot1x upon the eapol frame being received.
I'm wondering if this is what is causing the MAB authentication failure being logged eg MAB failing before dot1x authenticates?
Am I missing any obvious timer etc in the above config?
Hi All, A customer wants to authenticate Anyconnect VPN users from an ASA using the client installed certificate and then with AD. i.e. Is this a corporate device?Would we recommend authenticating the cert on the ASA then passing the AD check to ISE ...
Hello Team, we are getting alert in FMC stating policy deployment failed, we are running on 6.2.0 version and not sure which version is stable version to re mediate this issue, in one event i have seen restart will resolve this issue but is it perman...
Threat Hunting 101
In the latest Cisco Cybersecurity report, we explore all there is to know about threat hunting and provide a how-to guide for creating a threat hunting team.
Here are some of th...
What Is Cisco Identity Services Engine?
Cisco Identity Services Engine (ISE) is an all-in-one enterprise policy control product that enables comprehensive secure wired, wireless, and Virtual Private Networking (VPN) access.
Cisco ISE offers...
To participate in this event, please use the button to ask your questions
(This event was formerly know as Ask the Expert event)
This topic is a chance to discuss more about the best configuration and troubleshooting pr...