topic Cisco ISE - Authenticate WIFI Devices Using MAB, Block All Others in Network Access Control

Cisco ISE - Authenticate WIFI Devices Using MAB, Block All Others

cheery Tomato — Mon, 28 Oct 2019 08:37:24 GMT

I am trying to setup WIFI authenticating MAB devices via Cisco ISE.

The authentication comes through to Cisco ISE and the devices connect but I am getting other devices as well.

I want to restrict authentication to my list of devices only and block all others.

All I can seem to point to for a list of devices is Internal Endpoints, which just seems to be everything.

Refer to attached for the authentication policy.

Running ISE 2.2.0.470

Any help is greatly appreciated.

Cheers.

Re: Cisco ISE - Authenticate WIFI Devices Using MAB, Block All Others

CarlCarlson1234 — Mon, 28 Oct 2019 19:59:34 GMT

The pictures you provided are of your Authentication Policy. MAB will essentially authenticate anything within your Internal Endpoint database. You'll need to add all of the mac addresses of the devices you want to connect to this SSID into some sort of endpoint group. Then call that group out in your Authorization policy as permit then deny everything else.

Of course, as with all mab authentications you open yourself up to mac spoofing. So be wary of the implications of that.