topic Re: ISE 3.0 and MAB Configuration in Network Access Control

ISE 3.0 and MAB Configuration

Robert Molina — Fri, 01 Oct 2021 20:35:06 GMT

I am new to this and starting into configuring our ISE servers with policies for allowing endpoints to authenticate using 802.1X. I am taking a phased approach to this so I don't accidently shut down the whole network. After much research, I started with a policy set that allows network access using Wired MAB. In order to monitor, I first configured the switch with:

aaa authentication dot1x default group Groupname

aaa authentication dot1x start-stop group Groupname

For the interfaces that I am testing on I configured it with:

authentication port-control auto

authentication host-mode multi-auth

authentication open

authentication periodic

mab

dot1x pae authenticator

dot1x timeout supp-timeout 30

dot1max-req 2

The associated endpoints all authenticated without issues using this format. Unfortunately this doesn't work when the endpoint is a printer. I added the command authentication control-direction in.

The printer would still not pass authentication and access to printer is lost. I don't have a specific policy set for the printers and I don't know how to write one up.

Can anyone assist me? Thank you for your support

Re: ISE 3.0 and MAB Configuration

Marcelo Morais — Sat, 02 Oct 2021 06:02:12 GMT

Hi @Robert Molina ,

a simple example:

At Work Centers > Profiler > Profiling Policies > Logical Profiles

1. create a Printer-Profiler and at Assigned Policies select your Printer model.

Note: if you don't find your Printer model, then create one at Profiling Policies.

At Policy > Policy Sets

Policy Set Name: Wired-MAB

Condition: Wired-MAB

Note: you are able to find the Wired-MAB condition at Policy > Policy Elements > Conditions > Library Conditions.

2. Authentication Policy

Rule Name: MAB

Condition: Wired-MAB

Use: Internal Endpoints

3. Authorization Policy

Rule Name: Printer-MAB

Condition: Endpoint.LogicalProfile EQUALS Printer-Profiler

Hope this helps !!!

Re: ISE 3.0 and MAB Configuration

Mohammed al Baqari — Sat, 02 Oct 2021 06:18:44 GMT

Hi,

Just one thing on top of what @Marcelo Morais said. In the authentication
policy, modify the settings if authentication failed to continue instead of
reject. This is needed for mab.

Also, before creating profiling policy, check in context visibility
》endpoints. It might be already profiled as ISE has a lot of pre-built
profiling policies.

Regards, Mohammed Al Baqari

Re: ISE 3.0 and MAB Configuration

Robert Molina — Mon, 04 Oct 2021 17:58:29 GMT

@Marcelo Morais

Thank you for your response. I attempted to follow you instructions, but I am having difficulty with step 3.

3. Authorization Policy

Rule Name: Printer-MAB

Condition: Endpoint.LogicalProfile EQUALS Printer-Profiler

I went to Authorization Policy, gave it the rule name, but when I tried to implement the Condition, I couldn't find it or was I supposed to add it as I was building the policy but I can't find the logical profile condition. I already made a logical profile for our printers and it recognizes the printers that we have on the network. Can you provide a little more detail? I'll keep working on it while I wait for your answer.

Re: ISE 3.0 and MAB Configuration

Robert Molina — Mon, 04 Oct 2021 18:00:46 GMT

@Mohammed al Baqari

Thanks for reminding me. There are a lot of prebuilt profiling policies, but one of our printers is not listed, so I ended up building one for that specific printer. I will also remember to do the authentication to continue.

Re: ISE 3.0 and MAB Configuration

Robert Molina — Mon, 04 Oct 2021 19:43:57 GMT

I finally found the Endpoing.LogicalProfile. I created a rule for the printer and hope it works. I will give a shot a today.

Thank you for your assistance.

Re: ISE 3.0 and MAB Configuration

Robert Molina — Mon, 04 Oct 2021 20:01:45 GMT

I tried to make it work, but as soon as I implemented the Monitor ACL on the switch, I couldn't ping its IP and of course couldn't print.

I just have to wait until it shows up again. Of course, this particular printer is one that is not on the pre-built by Cisco. So I am going to have to change it back to using port-security.

Re: ISE 3.0 and MAB Configuration

tonyang — Tue, 04 Oct 2022 09:56:45 GMT

Hi Marcelo Morais,

Does Cisco ISE need to have advantage license if I'd like to use profiler service ?

Re: ISE 3.0 and MAB Configuration

hslai — Thu, 06 Oct 2022 23:49:22 GMT

ISE profiling services do consume advantage license. Please check ISE Ordering Guide

You may try it by using the 90-day eval for 100-endpoints that comes with a fresh ISE install or factory reset.

Re: ISE 3.0 and MAB Configuration

hslai — Thu, 06 Oct 2022 23:52:49 GMT

@Robert Molina What advised so far have been on how to classify/profiling your printer device. As to the switch configuration and ISE authorization policy rule and profile, please check ISE Secure Wired Access Prescriptive Deployment Guide or watch one of our videos at http://cs.co/ise-videos.

Re: ISE 3.0 and MAB Configuration

tonyang — Sat, 08 Oct 2022 14:12:26 GMT

Thank you, hslai.