Solved: Doubts about Dot1x with failover method MAB

ifabrizio · ‎03-05-2024

Dear All,

I configured the port of the test switch to use Dot1x as the first authentication, and as a fallback in case the dot1x failed, to use the Mab type authentication.

Everything seems to work correctly. But I have a question:

If I connected a New PC that is not present in the ISE Mab database, should the PC not be able to access the network?

Bye,

JF

MHM Cisco World · ‎03-05-2024

according to condition in Authentication policy, if you select if the endpoint unknown the action continue for authz if not then the user will failed to access

MHM

View solution in original post

ifabrizio · ‎03-05-2024

Follows the port switch config:

switchport access vlan 71
switchport mode access
switchport nonegotiate
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree guard root
end

MHM Cisco World · ‎03-05-2024

according to condition in Authentication policy, if you select if the endpoint unknown the action continue for authz if not then the user will failed to access

MHM