MAB auth fail issue

ITexpert · ‎08-16-2018

I Configure mac authentication bypass with NPS server and its working if I add mac-address in active directory. But for Unknown devices ports are still going error-disable state 9(Orange) . instead it should go in guest vlan.

Please see my configuration and let me know if I am missing anything.

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network deafult group radius

aaa accounting dot1x default start-stop group radius (i dont know the purpose of this command)

dot1x system-auth-control

Interface G1/0/3

switchport mode access

authentication event fail action authorize vlan 10

authentication host-mode multi-auth

authentication order mab

authentication port-control auto

mab

!

Thats all I configure , basically i just to want to use mac-address from NPS to allocate vlans and If it fails then switch just assign Guest Vlan.

Thanks

Delete

pieterh · ‎08-20-2018

You can configure an authentication failed (auth fail) VLAN for each 802.1X port on a switch stack or a switch to provide limited services to clients that cannot access the guest VLAN. These clients are 802.1X-compliant and cannot access another VLAN...

This option is not intended for devices that are not DOT1x aware! and only use MAB.

in your NPS you need to configure a policy to assign the guest vlan whenMAB authentication fails.

ITexpert · ‎08-22-2018

I am unable to Figureout, how to create policy in NPS for non domain objects like if unknown device connect to my network, i will not have his mac-address and NPS will only move objects which are in Active Directory.

Any help will be appreciated ?