https://community.cisco.com/t5/network-access-control/mab-authentication-operation-and-its-interaction-with/m-p/3029573#M23881 <P>Hi,</P> <P></P> <P>In MAB, authentication use Internal Endpoint where&nbsp;<STRONG>If user not found "CONTINUE"</STRONG></P> <P>It will move to authorization policy. MAC address gets added in ISE database&nbsp;as per profiled Endpoint.</P> <P></P> <P>Even if it doesn't match any profiling policy, it will&nbsp;become part of Unknown endpoint.</P> <P></P> <P>As per second query, it fails authentication because RADIUS has one packet for authentication and authorization. So even it passes authentication and failed in authorization, you will get failed authentication report.</P> <P></P> <P>Regards</P> <P>Gagan</P> <P>PS: rate helpful posts!!!!!</P> Mon, 20 Feb 2017 21:00:23 GMT Gagandeep Singh 2017-02-20T21:00:23Z https://community.cisco.com/t5/network-access-control/mab-authentication-operation-and-its-interaction-with/m-p/3029572#M23880 <P>We are using a default Wired_MAB configuration.</P> <P>As I understand it a device tries to authenticate and as part of this the identity store i.e. the local internal identity store is queried.</P> <P>If this is a new device it isn't in the Identity Store, however our new device seems to get added.</P> <P>Is it the case that authentication proceeds after MAB with ISE continuing to Authorization Rules, if a device passes profiling it is added to the Identity Store and having been added, at THAT point authentication can now be successful?</P> <P>It has always seemed&nbsp;odd to me that there does not seem to be a failure&nbsp;condition within Authentication for MAB devices, however if a device fails to profile i.e. Authorize, it also fails authentication.</P> <P>Can someone clarify this?</P> <P></P> <P>Thanks</P> Mon, 11 Mar 2019 07:28:48 GMT https://community.cisco.com/t5/network-access-control/mab-authentication-operation-and-its-interaction-with/m-p/3029572#M23880 bbriggs 2019-03-11T07:28:48Z https://community.cisco.com/t5/network-access-control/mab-authentication-operation-and-its-interaction-with/m-p/3029573#M23881 <P>Hi,</P> <P></P> <P>In MAB, authentication use Internal Endpoint where&nbsp;<STRONG>If user not found "CONTINUE"</STRONG></P> <P>It will move to authorization policy. MAC address gets added in ISE database&nbsp;as per profiled Endpoint.</P> <P></P> <P>Even if it doesn't match any profiling policy, it will&nbsp;become part of Unknown endpoint.</P> <P></P> <P>As per second query, it fails authentication because RADIUS has one packet for authentication and authorization. So even it passes authentication and failed in authorization, you will get failed authentication report.</P> <P></P> <P>Regards</P> <P>Gagan</P> <P>PS: rate helpful posts!!!!!</P> Mon, 20 Feb 2017 21:00:23 GMT https://community.cisco.com/t5/network-access-control/mab-authentication-operation-and-its-interaction-with/m-p/3029573#M23881 Gagandeep Singh 2017-02-20T21:00:23Z https://community.cisco.com/t5/network-access-control/mab-authentication-operation-and-its-interaction-with/m-p/3029574#M23882 <P>Please rate as correct if it helps!!!!</P> <P>Also let me know if you have any concerns on this thread...</P> <P></P> <P>Regards</P> <P>Gagan</P> Mon, 20 Feb 2017 21:23:49 GMT https://community.cisco.com/t5/network-access-control/mab-authentication-operation-and-its-interaction-with/m-p/3029574#M23882 Gagandeep Singh 2017-02-20T21:23:49Z https://community.cisco.com/t5/network-access-control/mab-authentication-operation-and-its-interaction-with/m-p/3029575#M23883 <P>Thanks for that. That's a great help.</P> Wed, 22 Feb 2017 17:56:00 GMT https://community.cisco.com/t5/network-access-control/mab-authentication-operation-and-its-interaction-with/m-p/3029575#M23883 bbriggs 2017-02-22T17:56:00Z https://community.cisco.com/t5/network-access-control/mab-authentication-operation-and-its-interaction-with/m-p/3029576#M23884 <P>Your Welcome!!!!!</P> Wed, 22 Feb 2017 18:49:06 GMT https://community.cisco.com/t5/network-access-control/mab-authentication-operation-and-its-interaction-with/m-p/3029576#M23884 Gagandeep Singh 2017-02-22T18:49:06Z https://community.cisco.com/t5/network-access-control/mab-authentication-operation-and-its-interaction-with/m-p/4119957#M561742 <P>Hi, appreciate this is now an old thread but wondering if you can help me, i have the exact same query as above.&nbsp; I don't want the MAC address to be auto-populated into the inventory in the case where the device is unknown it should remain unknown and rejected.&nbsp; Any idea's how i can resolve this?</P><P>thanks</P> Thu, 16 Jul 2020 14:15:00 GMT https://community.cisco.com/t5/network-access-control/mab-authentication-operation-and-its-interaction-with/m-p/4119957#M561742 JonMoss92624 2020-07-16T14:15:00Z