topic Re: Cisco ISE MAB Authentication problems in Network Access Control

Cisco ISE MAB Authentication problems

andreasalberti — Wed, 25 Nov 2020 14:50:03 GMT

Good day,

i have a problem where I can't get any further.
Unknown hosts that authenticate themselves via MAB are automatically moved to the "unknown" group.
This group was not created by me.

The client is then allowed into the network.
Ise lets every client into the network as soon as it lands in the unknown group.
Creating a policy which should block the unknown group unfortunately didn't help either.

Could you please provide me some tips on my problem ?
If you need more detailed informations please let me know.

Best regards and thank you in advance

Re: Cisco ISE MAB Authentication problems

Mike.Cifelli — Wed, 25 Nov 2020 16:19:18 GMT

FYSA:

An unknown profile is the default system profiling policy that is assigned to an endpoint, where an attribute or a set of attributes collected for that endpoint do not match with existing profiles in Cisco ISE.

An Unknown profile is assigned in the following scenarios:

When an endpoint is dynamically discovered in Cisco ISE, and there is no matching endpoint profiling policy for that endpoint, it is assigned to the unknown profile.
When an endpoint is statically added in Cisco ISE, and there is no matching endpoint profiling policy for a statically added endpoint, it is assigned to the unknown profile.

Can you share your mab authz policies? Is your wish to support both mab and dot1x? Are you using any sorts of custom profiling? Do you reference identity groups as a condition in your authz conditions?

Re: Cisco ISE MAB Authentication problems

andreasalberti — Fri, 27 Nov 2020 17:42:42 GMT

Thank you in advance for your feedback.

We use both 802.1x and mab authentication.

Even if I create a policy "identity group - unknown - deny access" it still gets authenticated.

I attached two pictures.

edit*

Profiling is not enabled.

Best regards

Re: Cisco ISE MAB Authentication problems

andreasalberti — Fri, 27 Nov 2020 17:42:55 GMT

I've attached another picture.

There is no policy that extends access for the "unknown" identity group.

Kind regards

Re: Cisco ISE MAB Authentication problems

Greg Gibbs — Thu, 26 Nov 2020 21:48:16 GMT

There is not enough information being provided to help. See How to Ask The Community for Help.

From the step data, the session is hitting some AuthZ rule that is returning an ACCESS_ACCEPT. You'll need to either provide more detail on your full Authentication/Authorization Policies, Authorization Profiles involved, etc. or open a case with TAC to investigate further.