cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2010
Views
0
Helpful
5
Replies

Flexible Authentication Order, Priority Cisco ISE

Can someone out here please explain the meaning of below

interface <interface_number>

authentication order mab dot1x

authentication priority dot1x mab

 

 

what is the real-time use of order and priority commands ?

Is it mandatory to have priority command ?

Please give some real-life exmaples

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

Start with reading the

Start with reading the following document. It will give you some good examples:

Flexible Authentication Order, Priority, and Failed Authentication

5 REPLIES 5
VIP Mentor

Start with reading the

Start with reading the following document. It will give you some good examples:

Flexible Authentication Order, Priority, and Failed Authentication

Here is my understanding , if

Here is my understanding , if someone would like to comment and confim if this is correct

 

Use case 1 :

 

 

authentication order mab dot1x

authentication priority dot1x mab

 

Result- first client will do MAB ( if this passed ) then will do the dot1x. If MAB auth failed   then also do the dot1x. Negative side of this is that each and every device has to go through MAB process- overhead on ISE . if DOT1x is not successful it will get the policy as configured for MAB.

 

 

 

Use Case 2-

 

authentication order mab dot1x

authentication priority mab Dot1x

 

 

MAB failed , it will go to Dot1x

MAB passed- it will not go to DOT1x.

 

 

Use Case 3-

 

authentication order dot1x mab

authentication priority mab Dot1x

 

 

End-point will do Dot1x, will only go to MAB if DOT1x Fails.

 

Highlighted
Participant

Re: Here is my understanding , if

Could anyone confirm that if:

order mab dot1x

priority dot1x mab

 

then a dot1x client will start up as mab but immediately be switched to dot1x upon sending an eapol frame?

ie it doesn't have to fail the mab process to progress to dot1x and therefore the mab process won't fail due to the dot1x being sucessful?

Cisco Employee

Re: Here is my understanding , if

Yes.

Beginner

Re: Here is my understanding , if

It depends on the policies, I prefer to do the dot1x first and if fails then do MAB.
If you have MAB policies that can "overlap" with dot1x policies then it might cause issues, e.g. MAB policy for workstation onboarding.
In most cases dot1x first works better for me.