Cisco Support Community
Community Member

FlexConnect Access Point - Wired 802.1X or MAB Authentication

Hi all,

We are piloting wired 802.1X but have hit a snag - FlexConnect AP switchport configuration requires the port be configured as trunk, with the native VLAN for management and access VLAN(s) for client data.

I know 802.1X cannot be configured on trunk port, but how can we configure MAB on trunk ports such as these?

Otherwise, is there another way we can authenticate these FlexConnect APs on a switch using ISE?

Thanks in advance.



Cisco Employee

Hi Stephen. You are correct,

Hi Stephen. You are correct, 802.1x should not be configured on a trunk port. Moreover, you would run into an issue with clients if you are running local switching mode. Here is the flow:

1. AP, authenticates via MAB and profiling

2. Client authenticates via PEAP/EAP-TLS, etc

3. Now the client's traffic is locally switched, thus, the client mac address is showing on the same port where the AP is connected. The NAD (Switch) sees this new mac address and it is expecting it to perform 802.1x or MAB based authentication. The supplicant, however, does not know that and as far it is concerned it was already authenticated.

So I have ran into this issue in my deployments and you have the following options (listed in preference order):

1. Eliminate FlexConnect :)

2. Utilize AutoSmartPorts where:

- If an AP is connected, then 802.1x configuration is removed, port-security is enabled and locked to a single MAC address and trunk configuration is enabled

- If the AP is removed, then port is configured as standard access port, port-security is removed and 802.1x is configured

More info on auto smart ports:

3. You can configure the port in a "multi-host" mode where after the first device is authenticated all subsequent devices are allowed on the network.

Hope this helps!


Thank you for rating helpful posts!

Community Member

Thanks Neno!Number 1 isn't an

Thanks Neno!

Number 1 isn't an option for our remote branches (where we need 802.1X and port security the most when APs are exposed).

I'll have a read about smart ports.

Are you able to provide a configuration example for multi-host mode with MAB that will work with a trunk port?




Cisco Employee

Hi Stephan. The 802.1x

Hi Stephan. The 802.1x configuration on the trunk port is exactly the same as it is on an access port. I was able to get it work and did not have any issues. When I asked Cisco "Exactly what part of 802.1x is not supported on a trunk" I was not given a straight answer :) Now, I never deployed it because the customer did not like the multi-host mode so I don't know what the long term consequences are. Thus, take that option/solution with a grain of salt. Otherwise the command is 

authentication host-mode multi-host

If solution #1 is not an option then I would highly recommend that you use the auto-smart ports. They are pretty powerful and you can do a lot of different things with the default and custom built macros. They can also be a little tricky so make sure you test it in your lab first. The first time I did it all of my trunk ports got auto-configured and let's just say that a lot of things stopped working :)


Thank you for rating helpful posts! 

Community Member

Hi Neno,After several TAC

Hi Neno,

After several TAC cases to try and get smart ports working, it turns out smart port macros aren't supported for FlexConnect/HREAP access points; only local mode access points.

So the only options are to change away from FlexConnect, tag the native VLAN (only supported on 3750s and not 2960s), or implement management VLAN access lists (which is best practise anyway).  

No other way to secure access point ports unfortunately.



Stephen, I have used ise



I have used ise triggered smart port mcros in the past, to change a port to a trunk, when certain devices are attached, for example an AP, based on it's mac address, and that works fine, auto smart ports don't need to "support" anything really, as they are just running config commands on a port, based on what ise tells it to do.

Is this not the scenario you are using ?

Community Member

Hi Jan,Tried using macros

Hi Jan,

Tried using macros based on MAC addresses but they still weren't triggering, TAC suspected a bug with IOS version 12.2(55)SE5.  They suggested upgrade to IOS 15 however then we run into bug CSCta05071 relating to CoA for wired 802.1X.

What IOS version were you successfully running this on?




I believe after much

I believe after much instability and bugs found in 12.2(55)SE5 or 6 i think was out at the time, we ended up with 12.2(58)SE2 as the most stable, and where it worked. As i remember one thing to disable is processing of macros, or it will start to trigger on the built in macros instead of just the ones you give it from ISE.

Community Member

Thanks Jan.Yes I made that

Thanks Jan.

Yes I made that mistake once on my lab setup, and it reconfigured the trunk uplink to the router and so I lost connectivity to it - had to fix via console :)

Community Member

Hi Neno. Tried to implement

Hi Neno.


Tried to implement MAB authentication on a trunk port but I didn't get it to work properly. How did you set it up? Did you configure native vlan or did you leave it on default?

We are running a POC where we need MAB with FlexConnect AP's

Here's the portconfig:

Switch#sh run | begin interface GigabittEthernet1/0/18
interface FastEthernet1/0/18
 description SA-DEFAULT_1.1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 123  !* Have tried with default setting also
 switchport mode trunk
 switchport protected
 switchport block unicast
 ip arp inspection limit rate 20
 no logging event link-status
 no logging event power-inline-status
 load-interval 30
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 authentication control-direction in
 authentication event fail action next-method
 authentication event server dead action authorize
 authentication event server alive action reinitialize
 authentication host-mode multi-host    ! No success with this entry and Trunk
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 ipv6 traffic-filter IPV6 in
 mls qos trust cos
 dot1x pae authenticator
 dot1x timeout tx-period 2
 dot1x timeout supp-timeout 20
 storm-control broadcast level pps 1k
 storm-control multicast level pps 2k
 storm-control action trap
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard enable
 spanning-tree guard loop
 service-policy input XXXXXX
 ip verify source
 ip dhcp snooping limit rate 20

Thanks in advance

Cisco Employee

What version of code are you

What version of code are you running? I did forget to mention that you need to be on the 15.x train. 

Community Member

Hi Neno.

Hi Neno.

I'm running on 15.0(2)SE9 with IP base on a Cat 3750E

After upgrade to above release we actually got the smartport macros to be triggered by ISE. However this state is not secure and it looks like ISE is expecting a second auth that never happens since it regards the port as multiple device port. Do you have any idea to solve this?

sh authentication interface g1/0/44     

Client list:
Interface  MAC Address     Method   Domain   Status         Session ID
  Gi1/0/44   1c6a.7a58.6308  mab      DATA     Authz Success  0A3EE006000008A19F6303A7

Available methods list:
  Handle  Priority  Name
    3        0      dot1x
    4        1      mab
Runnable methods list:
  Handle  Priority  Name
    3        0      dot1x
    4        1      mab

as111.slu2#sh authentication sess interface g1/0/44
            Interface:  GigabitEthernet1/0/44
          MAC Address:  1c6a.7a58.6308
           IP Address:  Unknown
            User-Name:  1C-6A-7A-58-63-08
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  in
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-dACL-MI-CAPWAP-55fa71f9
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A3EE006000008A19F6303A7
      Acct Session ID:  0x000013D7
               Handle:  0xB30008A2

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

Re: Hi Neno.

Hi Mats,


Just wondering if were successful in sorting out this issue? I'm running into a similar issue with our FlexConnect APs. We ran into two different sets of issues with our Multi-Host setup.


1) At few of our branches, we noticed that the first MAC learnt is a workstations MAC which is connected through the AP. Technically, AP must be the first MAC seen by switch. Don't know whats causing this.


2) The dACL we issued via ISE is restrictive and only allows certain ports. This seems to be breaking the connectivity of the workstations connected to the SSID. So, I'm suspecting if I have a missing port in my dACL or the dACL is applied to the entire session instead of applying it to the first MAC seen by the switch. By the same ACL we are issuing for our LWAPP APs & they seem to be working absolutely fine. Below is the dACL I have -


remark Allow Control and Provisioning of Wireless Access Points (CAPWAP) protocols.

permit udp any any range 5246 5248

permit udp any range 5246 5248 any

remark Allow Lightweight Access Point Protocol (LWAPP)

permit udp any any range 12222 12224

permit udp any range 12222 12224 any

remark Allow remote access (telnet and SSH)

permit tcp any range 22 23 any

remark Allow DHCP

permit udp any any eq 67

permit udp any any eq 68

remark Allow DNS

permit udp any any eq 53

remark Allow RDLP

permit udp any any eq 6352

remark Allow NSI Protocol

permit udp any any eq 37540

permit udp any any eq 37550

remark Allow TFTP

permit udp any any eq 69

remark Allow FTP

permit tcp any any eq 21

remark Allow Syslog

permit udp any any eq 514

permit icmp any any

deny ip any any


Do you reckon there could be few more ports for FlexConnects?








CreatePlease to create content