topic Re: 802.1x and Mab same policy in Network Access Control

802.1x and Mab same policy

JonathanC1 — Thu, 27 Apr 2023 17:20:10 GMT

Hi folks,

I’ve got a specific use case whereby we need to use peap-mschapv2 and add a condition where by the device has to be in a endpoint identity group by mac.

For example the workflow - User connects to wireless with an ssid that is 802.1x enabled and then authenticated like usual with peap + mschapv2. The authorisation policy then needs to to include the group they are in AD I.e domain users AND also the device needs to be an endpoint identity group with their MAC address. They then get the authorisation result I.e Permit.

Is this possible or am I overthinking

Jon

Re: 802.1x and Mab same policy

Nancy Saini — Thu, 27 Apr 2023 17:46:28 GMT

You can create an authentication policy with AD as identity source and in the authorization policy put endpoint group as the condition. This should cover your scenario

Re: 802.1x and Mab same policy

JonathanC1 — Thu, 27 Apr 2023 20:07:34 GMT

So can’t do both with the condition? E.g if user is in a certain group in ad. Thx

Re: 802.1x and Mab same policy

Dustin Anderson — Thu, 27 Apr 2023 20:31:51 GMT

authentication would be one of the conditions to get to the policies IE, user is a user in AD, then use the conditions in the policy rules to verify any group membership etc.

Example for us is for a wireless device to go on internal network, we have ISE keep a record of devices themselves and call to check that the MAC is a domain PC with the WasMachineAuthenticated.

If, you are looking to check both in AD, you can do EAP chaining, but that will just check a user and that it's a domain PC, not check for specific groups.

Re: 802.1x and Mab same policy

thomas — Sun, 07 May 2023 17:15:39 GMT

Yes. You should have just tried it. 8-)