We are doing a MAB POC as we speak to enhance our level of port security for exotic non-dot1x devices.
Our testdevice is a IE3000 8p industrial switch with Version 15.2(2)E4 (preferred IOS version for communication with ISE 2.2).
When booting the device MAB authentication works 100% of time.
When doing a shut/no shut of the network port or removing/inserting the network cable, in most of the cases MAB authentication fails and there is no more mac address of the end device in the mac address table.
The only way to make things work again is a reboot of the device.
interface FastEthernet1/1 description ## Tel + PC dot1x mab ## switchport access vlan 666 switchport mode access switchport voice vlan 667 srr-queue bandwidth share 1 30 35 5 priority-queue out authentication control-direction in authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate 43200 mab mls qos trust cos dot1x pae authenticator dot1x timeout tx-period 5 auto qos trust no mdix auto storm-control broadcast level 60.00 storm-control action shutdown storm-control action trap macro description MAB ip dhcp snooping limit rate 10 ip dhcp snooping trust end
In attach you can find 2 debug files (debug mab all & debug authentication all)
Have you tried switching the authentication order to mab dot1x? Here is a configuration that we are currently using on some different switches. I removed a few things to focus on the 802.1x configuration. My review is based on recommended best practices on Cisco Community forum.
authentication control-direction in authentication event fail action next-method authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-auth authentication order mab dot1x authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer restart 3600 authentication timer inactivity 180 authentication violation restrict mab no snmp trap link-status dot1x pae authenticator dot1x timeout tx-period 10
Introduction to Routing ProtocolsStatic vs DynamicDistance Vector vs Link StateRoute Selection AlgorithmSingle Routing Protocol OnlyOpen Shortest Path First (OSPF)AreasRoute ConvergencePath SelectionMetric CalculationCharacteristicsEnhanced Interior Gatew...
Cisco DNA Center version 2.2.2.x includes the features and improvements that
New intelligence provides an easy, gradual, and complete adoption of SD-Access. Faster Cisco DNA Center set-up saves time and effort.
When using Cisco cellular modules with a SIM card an APN must be provided. The APN cannot be stored in the SIM card and is supplied by your SIM card provider. Cisco cellular software contains a database of well-known APNs based on the country and ...
Cisco 3850: IOS-XE/Firmware Upgrade
This procedure is aimed at Cisco 3850 switch ONLY.
IOS-XE Bundle Mode is not covered.
9300, 9500 (vanilla & high-performance), ISR 1k, ISR 4k and ASR is not covered.
Listen: https://smarturl.it/CCRS8E46Follow us: twitter.com/ciscochampionsIt’s been several years since the release of Cisco DNA Center, and it’s matured into a complete network management system, an automation and orchestration engine, an AI/ML analy...