https://community.cisco.com/t5/network-access-control/802-1x-and-mab-authentication-using-a-workgroup/m-p/3395076#M548525 Hi Arne,<BR /><BR />Excellent.<BR /><BR />I will try all that you have suggested.<BR /><BR />I do have a Cisco Catalyst switch, a Windows 7 (just not an AD or<BR />Certificate server) so was wondering also if there is a<BR />quick to match on the Windows Workstation (non-domain) attribute to just<BR />create an authentication and authorization policy to make things work.<BR /><BR />Thank you!<BR /> Wed, 06 Jun 2018 16:09:45 GMT latenaite2011 2018-06-06T16:09:45Z https://community.cisco.com/t5/network-access-control/802-1x-and-mab-authentication-using-a-workgroup/m-p/3394731#M548523 <P>Just wondering what is the best way to test 802.1x and MAB authentication using a workgroup without an AD or certificate environment.</P> Fri, 21 Feb 2020 18:57:32 GMT https://community.cisco.com/t5/network-access-control/802-1x-and-mab-authentication-using-a-workgroup/m-p/3394731#M548523 latenaite2011 2020-02-21T18:57:32Z https://community.cisco.com/t5/network-access-control/802-1x-and-mab-authentication-using-a-workgroup/m-p/3394756#M548524 <P>you can fake this with a clever lab setup - all the tools are available in open source.&nbsp; Have a look at my 3 part series of how to do this</P> <P>&nbsp;</P> <P><A title="Rapid prototyping ISE Policies without any real networking hardware (part 1)" href="https://communities.cisco.com/community/technology/security/pa/ise/blog/2017/05/04/rapid-prototyping-ise-policies-without-any-real-networking-hardware" target="_self">Rapid prototyping ISE Policies without any real networking hardware (part 1)</A></P> <P><A title="Rapid prototyping ISE Policies without any real networking hardware (part 2)" href="https://communities.cisco.com/community/technology/security/pa/ise/blog/2017/05/04/rapid-prototyping-ise-policies-without-any-real-networking-hardware-part-2" target="_self">Rapid prototyping ISE Policies without any real networking hardware (part 2)</A></P> <P><A title="Rapid prototyping ISE Policies without any real networking hardware (part 3)" href="https://communities.cisco.com/community/technology/security/pa/ise/blog/2017/05/04/rapid-prototyping-ise-policies-without-any-real-networking-hardware-part-3" target="_self">Rapid prototyping ISE Policies without any real networking hardware (part 3)</A></P> <P>&nbsp;</P> <P>I use this all the time to test EAP-EAP, EAP-TLS, PAP/ASCII auth</P> Wed, 06 Jun 2018 05:56:58 GMT https://community.cisco.com/t5/network-access-control/802-1x-and-mab-authentication-using-a-workgroup/m-p/3394756#M548524 Arne Bier 2018-06-06T05:56:58Z https://community.cisco.com/t5/network-access-control/802-1x-and-mab-authentication-using-a-workgroup/m-p/3395076#M548525 Hi Arne,<BR /><BR />Excellent.<BR /><BR />I will try all that you have suggested.<BR /><BR />I do have a Cisco Catalyst switch, a Windows 7 (just not an AD or<BR />Certificate server) so was wondering also if there is a<BR />quick to match on the Windows Workstation (non-domain) attribute to just<BR />create an authentication and authorization policy to make things work.<BR /><BR />Thank you!<BR /> Wed, 06 Jun 2018 16:09:45 GMT https://community.cisco.com/t5/network-access-control/802-1x-and-mab-authentication-using-a-workgroup/m-p/3395076#M548525 latenaite2011 2018-06-06T16:09:45Z https://community.cisco.com/t5/network-access-control/802-1x-and-mab-authentication-using-a-workgroup/m-p/3395296#M548526 <P>well you could always create local identities (accounts) on ISE and then authenticate against those.&nbsp; Not sure what you mean exactly by matching on workgroup attributes?&nbsp; Maybe an example (I am not a Microsoft jockey ;-&gt; )</P> Wed, 06 Jun 2018 22:17:30 GMT https://community.cisco.com/t5/network-access-control/802-1x-and-mab-authentication-using-a-workgroup/m-p/3395296#M548526 Arne Bier 2018-06-06T22:17:30Z https://community.cisco.com/t5/network-access-control/802-1x-and-mab-authentication-using-a-workgroup/m-p/3395355#M548527 Hi Anre,<BR /><BR />I am good with this. Thank you for the reply.<BR /><BR />I was able to test your radclient tool and works fine. Thank you!<BR /><BR />I was able to get MAB authentication working on a laptop that was<BR />configured part of a Endpoint group and was trying to test with a different<BR />laptop newly plugged in. I wasn't able to connect, which is fail, but the<BR />"show authen session" fails that is it Authz Failed (see below), but I<BR />don't see the Mab authentication ( I have made sure that 802.1x is<BR />disabled).<BR /><BR />Port 7 is configured similar to the one that was working. So why wouldn't<BR />it show mab for method?<BR /><BR />Secondly, I was testing port 2/0/6 again and had disconnected the cable for<BR />a different test and thought I would try connect, now that computer can't<BR />connect and don't get authen successful. I noticed that the mac address of<BR />that computer is not under the Endpoint Group that I added it to (which<BR />matched the policy that I created it for). Why would a mac address get<BR />deleted from a Identity Group under Work Centers, Device Admin - Identity<BR />Groups - Endpoint Identity Groups - Workgroup..<BR /><BR />Gi2/0/7 0026.b99f.09b5 N/A DATA Authz Failed<BR /> C0A8015D000001E20C2BCE18<BR /><BR />Does the mac address get deleted every time a computer disconnects?<BR /><BR />So what would happen to we manually add a mac address to a Whitelist<BR />EndPoint Identity group and that gets deleted if the computer is<BR />disconnected, we have to add it back everytime?<BR /> Thu, 07 Jun 2018 00:58:45 GMT https://community.cisco.com/t5/network-access-control/802-1x-and-mab-authentication-using-a-workgroup/m-p/3395355#M548527 latenaite2011 2018-06-07T00:58:45Z https://community.cisco.com/t5/network-access-control/802-1x-and-mab-authentication-using-a-workgroup/m-p/3395356#M548528 <P>Although I understand the theory of MAB, I don't have much experience with wired switches at the moment. I mostly deal with MAB in the context of wireless guest.&nbsp;</P> <P>If you are using profiling then perhaps the endpoint gets moved from one Endpoint Identity Group to another. I don't use profiling so I wouldn't know.&nbsp; When I have placed a MAC address in an Endpoint Identity Group then it has always remained there, unless I deleted it via the Context Visibility page, or if I deleted a Sponsored Guest Account via the Sponsor Portal (and that is then the expected behaviour).</P> <P>&nbsp;</P> Thu, 07 Jun 2018 01:25:22 GMT https://community.cisco.com/t5/network-access-control/802-1x-and-mab-authentication-using-a-workgroup/m-p/3395356#M548528 Arne Bier 2018-06-07T01:25:22Z https://community.cisco.com/t5/network-access-control/802-1x-and-mab-authentication-using-a-workgroup/m-p/3395366#M548529 Hi Arne,<BR /><BR />Yes, looks like it was because of me deleting the endpoint from the Context<BR />Visibility.<BR /><BR />That is how I tested with dot1x too so have to see how to go about being<BR />able to test this again under 802.1x if the mac has<BR />been provided.<BR /><BR />thank you!<BR /> Thu, 07 Jun 2018 02:19:45 GMT https://community.cisco.com/t5/network-access-control/802-1x-and-mab-authentication-using-a-workgroup/m-p/3395366#M548529 latenaite2011 2018-06-07T02:19:45Z