authentication open and 802.1x failure

edmcnich · ‎11-19-2018

If this config on switch:

interface GigabitEthernet2/0/30
 switchport access vlan 24
 switchport mode access
 switchport voice vlan 25
 authentication event fail action next-method
 authentication event server dead action authorize vlan 24
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab webauth
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity 30
 authentication fallback Webauth
 mab
 dot1x pae authenticator
 spanning-tree portfast
end

When 802.1x client fails authentication, I get open access, and am not being passed to MAB. So my question is, if "authentication open" and authentication order dot1x mab webauth" is configured, IF 802.1x authentication fails, will the port access go to OPEN or will it continue to MAB.

mnagired · ‎11-19-2018

Hello edmchich,

Configs looks good..

Couple of things on ISE

1. Hope the endpoint mac address is part of the endpoint identity group(Administration>identity management>groups>endpoint identity groups) -- May be add the mac under one of those available groups.

2.Set the authorization profile to have dot1x as first method and MAB as next option and set the condition -- Refer to attachment..

Let me know if that helps..

paul · ‎11-19-2018

The port should continue to MAB once Dot1x times out or fails. I would get rid of the webauth methods. If the device continues to send Dot1x frames to kick the switch out of MAB they could get indefinite open access to the network. This is the downside to using open mode and the legacy template.

mnagired · ‎11-21-2018

Hello edmchich

Are you good or still need assistance? if not then we would close this thread?? Let us know