topic Re: MAB authentication in Network Access Control

MAB authentication

anson-bates — Sat, 06 Oct 2018 14:22:22 GMT

Hi I am trying to enable MAB authentication to allow only a specific group of mac address on the network

I am trying to create a group but not sure how, I have tried in the Endpoint Identity Group but it does seem like it works

Attached is the picture of what i am trying to do and that is change group wired_mab is using to authenticate.

How do i add my own group to this list. for example instead of internal endpoint i want the group to be call funky mab

Re: MAB authentication

Marius Gunnerud — Sat, 06 Oct 2018 17:42:48 GMT

You would need to create an Identity source sequence and then reference Internal Endpoints.

Re: MAB authentication

anson-bates — Sat, 06 Oct 2018 17:50:43 GMT

The issue I am running into is that ISE is dynamically adding MAC address once plugged into a switch port. How do I turn this off

Re: MAB authentication

Marius Gunnerud — Sat, 06 Oct 2018 19:26:32 GMT

I am not entirely sure how you have configured your policy but this is an example of what you could do. Keep in mind that the following will match all wired MAB (and possibly wireless MAB depending on how your Policy set is configured).

1. create an Endpoint Identity Group and place the MAC addresses for the MAB clients in this group

2. Go to Policy Elements > Results and create an authorization result policy for the MAB devices

3. Go to Policy Sets and edit the MAB policy, if one doesn't exist create a MAB policy Condition should be Wired_MAB and Allowed Protocols should be Default Network Access

4. Edit the policy you just created and under Authentication Policy create a new policy where the condition is Wired_MAB and under "use" select Internal Endpoints

5. Under Authorization Policy where the condition matches "Identity Group Name EQUALS Endpoint Identity Groups:<name of identity group that you have created earlier>"

6. Under "Result: Profiles" select the Authorization result policy you created earlier.

7. Save the configuration

Re: MAB authentication

janis.heffe — Tue, 09 Jul 2019 07:58:33 GMT

i have the same original problem.

we have a ISE 2.4 with Patch 8 installed.

For same reason i can't create a Authorization Policy for the group.

If i assign a custom Tag to the endpoint than i can use that tag in the AuthZ Policy. But we would like to avoid that.

I can only setup a policy against the InternalUser store and note the Endpoints.

The Endpoint Dictionary only gives me the custom field and same others but not the Identity Group.

i attached same screenshots that show the steps

Re: MAB authentication

Jason Kunst — Tue, 09 Jul 2019 20:16:51 GMT

Is this something worked before for you? There are examples of working authorization rules here for endpoint groups

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475#toc-hId--916002297

Re: MAB authentication

janis.heffe — Wed, 10 Jul 2019 08:16:59 GMT

thank you very much.

for same reason i couldn't find it.

It is a new installation and we are in the process of getting ready to migrate from ACS to ISE. We are moving forward to the testing phase.

Re: MAB authentication

DHCBT — Fri, 25 Mar 2022 14:08:46 GMT

Sorry to bring up an old thread but did you ever find an answer to this quest? I would greatly appreciate a response. Thanks!