Wireless 802.1x with MAB as fallback and FreeRadius

[Rodrigo Antunes]

> For wired.  Not for WiFi.

I think in these both articles they acomplished this in wifi. 

"If you have both, MAC Filter and 802.1x it will always send both requests to ISE.

It will send the mac address first so you have a few options:

1. Perform MAB and if it is valid do not perform 802.1x. (i.e a Printer)
2. Perform MAB and it if is NOT VALID, perform 802.1x. (i.e a domain computer)
3. You can do as Sandeep said to perform both MAB and 802.1x and force both to pass.

You need make sure that under your Authentication policy for Wireless-MAB you select the "Continue" option for "if the user does not exist". Otherwise you'll get an access-reject for the MAB and won't get to the 802.1x authentication."


https://community.cisco.com/t5/wireless/cisco-wireless-mab-and-802-1x/td-p/3699599

https://community.cisco.com/t5/wireless/ise-2-1-802-1x-and-mac-filtering/td-p/3763618



> Basically you enable Mac Authentication Bypass in the wireless controller and then it sends the mac to the radius server, if the mac is invalid then it try 802.1x.
> I tried that, but when the client connects to the ssid It sends the MAC and is rejected by radius.


 > If only there was some kind of debug output you could read.  Oh well.

Well, in the debug I can see exactly what I said, the MAC is rejected, but I don't know how to make it "continue" and try dont1x like in the articles I have cited.