Endpoint double authentication Cisco ISE - Juniper Mist AP

Themax20 · ‎09-15-2025

Hi community

Hoping someone here can shed some light.

I am working deploying some Juniper Mist WAP in our network. I have configured the WAP as a NAD in Cisco ISE for 802.1x and MAB. I have set my policies and everything is working so far. When I connect to an AP, the endpoint in authorized by Cisco ISE. However, when I try to set the port on the switch to authorize the AP itself in ISE I get a unexpected issue. Besides authorizing the WAP, I can see the switch has attempted to authorize the endpoint using MAB that has been already authorized via 802.1x via the AP.

So in ISE I have two log entries for my endpoint authentication. An 802.1x from the Juniper WAP and a MAB entry from the switch.

The WAP is connected to the switch using a trunk. The native VLAN of this trunk is used to assign the IP to the WAP and manage it. Can I restrict the 802.1x and MAB to the native VLAN in the trunk? Is it something related to the Device profile in Cisco ISE for the Juniper AP?

Any help is appreciated.

Mark Elsen · ‎09-15-2025

- @Themax20 If the switch is doing MAB too for the AP-connection then you must examine the port-configuration for the AP and make sure that 802.1x is done , and or allowed, only.

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

MHM Cisco World · ‎09-15-2025

MAB for authc AP is not good idea

SW port connect to AP have mac of

AP and all other wifi client' this can not control it

So you can use 802.1x with multi host mode in SW and this is not secure.

So in end both methods is not optimal for authc AP.

MHM