https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3845749#M473599 <P>Thank you Timothy, so how do I write a policy set specifically for the SG500 MAB. Because the positive sign&nbsp; here is that ISE successfully receives the MAC addresses.&nbsp; Like how do you think the custom device profile should be created with conditions that will match MAC addresses from SG500 switches.</P> Fri, 26 Apr 2019 06:57:53 GMT andrew.agaba 2019-04-26T06:57:53Z https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3844865#M473592 <P>Hello Colleagues,</P><P>&nbsp;</P><P>The challenge I have this is authenticating and authorising devices connected to SG500-52P switches using MAB.</P><P>The ISE v2.3 receives the MAC addresses but does not process any defined policy set but the default deny.</P><P>Yet when these same devices are connected to other switches, ISE v2.3 receives the MAC addresses and successfully authenticates and authorises them against policy sets defined.</P><P>Question is, how can I create get ISE v2.3 to authenticate and authorise devices connected to these SG500-52P switches using MAB.&nbsp;</P> Thu, 25 Apr 2019 07:57:36 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3844865#M473592 andrew.agaba 2019-04-25T07:57:36Z https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3844951#M473593 Thu, 25 Apr 2019 09:54:59 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3844951#M473593 andrew.agaba 2019-04-25T09:54:59Z https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3844953#M473594 Thu, 25 Apr 2019 09:55:39 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3844953#M473594 andrew.agaba 2019-04-25T09:55:39Z https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3844957#M473595 This is a radius log for when a device connected to the SG500 switch fails Thu, 25 Apr 2019 09:57:23 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3844957#M473595 andrew.agaba 2019-04-25T09:57:23Z https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3844958#M473596 This is a radius log for the same device connected to another switch succeeds with MAB Thu, 25 Apr 2019 09:58:45 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3844958#M473596 andrew.agaba 2019-04-25T09:58:45Z https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3845201#M473598 <P>MAB fails on the SG500 because Internal Endpoints is not queried as the identity store and I suspect it is because of the RADIUS attribute the switch is sending to ISE.&nbsp; It succeeds because other switches are sending RADIUS: Service-type = Callcheck.&nbsp; You'll have to create a custom device profile for the SG500 that describes how that particular switch does MAB.</P> Thu, 25 Apr 2019 15:10:15 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3845201#M473598 Timothy Abbott 2019-04-25T15:10:15Z https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3845749#M473599 <P>Thank you Timothy, so how do I write a policy set specifically for the SG500 MAB. Because the positive sign&nbsp; here is that ISE successfully receives the MAC addresses.&nbsp; Like how do you think the custom device profile should be created with conditions that will match MAC addresses from SG500 switches.</P> Fri, 26 Apr 2019 06:57:53 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3845749#M473599 andrew.agaba 2019-04-26T06:57:53Z https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3845921#M473601 <P>It finally worked, thanks again Timothy.&nbsp;I had to create a custom policy set for Devices with MAC addresses originating from SG500 switches as you said. The policy set was created using help from this post as well:</P><P><A href="https://community.cisco.com/t5/security-documents/sg500-nad-config/ta-p/3643438" target="_blank">https://community.cisco.com/t5/security-documents/sg500-nad-config/ta-p/3643438</A></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 26 Apr 2019 10:15:24 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3845921#M473601 andrew.agaba 2019-04-26T10:15:24Z https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3845940#M473603 Have you looked at this<BR /><BR /><A href="https://community.cisco.com/t5/security-documents/ise-third-party-nad-profiles-and-configs/ta-p/3648719" target="_blank">https://community.cisco.com/t5/security-documents/ise-third-party-nad-profiles-and-configs/ta-p/3648719</A><BR /><BR /> Fri, 26 Apr 2019 10:44:09 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-mab-authentication-problem/m-p/3845940#M473603 Jason Kunst 2019-04-26T10:44:09Z