https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971570#M585532 <P><BR /><EM>&nbsp; &gt;...I'm looking into how to allow MAB for endpoints which had successful 802.1x authentication.</EM><BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Inconsistent requirement , 802.1x supersedes MAB</P> <P><EM>&nbsp;&gt;...s there a way to update some endpoint attribute based on a successful 802.1x authentication which then gets used whenever the client (for whatever reason) <FONT color="#FF6600">goes through MAB?</FONT></EM><BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;- The client doesn't go to anything&nbsp; ; what the client does is determined by the NAC (ISE) infrastructure <STRONG>(only)</STRONG></P> <P>&nbsp;M.</P> Tue, 05 Dec 2023 10:53:32 GMT Mark Elsen 2023-12-05T10:53:32Z https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971540#M585530 <P>Hello everybody,</P> <P>I'm looking into how to allow MAB for endpoints which had successful 802.1x authentication.</P> <P>Is there a way to update some endpoint attribute based on a successful 802.1x authentication which then gets used whenever the client (for whatever reason) goes through MAB?</P> <P>On another NAC solution you can set the endpoint to known through after an authentication.</P> <P>How would I do that in ISE?</P> <P>Thanks in advance!</P> <P>BR</P> <P>Jonatan</P> Tue, 05 Dec 2023 10:11:42 GMT https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971540#M585530 JonatanSitter 2023-12-05T10:11:42Z https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971570#M585532 <P><BR /><EM>&nbsp; &gt;...I'm looking into how to allow MAB for endpoints which had successful 802.1x authentication.</EM><BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Inconsistent requirement , 802.1x supersedes MAB</P> <P><EM>&nbsp;&gt;...s there a way to update some endpoint attribute based on a successful 802.1x authentication which then gets used whenever the client (for whatever reason) <FONT color="#FF6600">goes through MAB?</FONT></EM><BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;- The client doesn't go to anything&nbsp; ; what the client does is determined by the NAC (ISE) infrastructure <STRONG>(only)</STRONG></P> <P>&nbsp;M.</P> Tue, 05 Dec 2023 10:53:32 GMT https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971570#M585532 Mark Elsen 2023-12-05T10:53:32Z https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971594#M585533 <P>Thanks for the helpful response.</P> <P>I know that 802.1x supersedes MAB. But as you might know, sometimes an endpoint fails to authenticate over 802.1x.<BR />At that point the switch allows for MAB. I want ISE to authenticate/authorize an endpoint over MAB only if there has been a successful 802.1x authentication for example the day before.</P> <P>We should be able to set endpoint attributes in the authorization process. Not only send radius attributes to the switch but also add custom attributes to the endpoint database.</P> Tue, 05 Dec 2023 11:18:26 GMT https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971594#M585533 JonatanSitter 2023-12-05T11:18:26Z https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971595#M585534 <P>First config ISE as MAB and as 802.1x</P> <P>Then config your SW with&nbsp;</P> <P>802.1x flexible auth&nbsp;</P> <P>Where order and priority make big rule in make end point auth both or one of mab/802.1x</P> Tue, 05 Dec 2023 11:24:08 GMT https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971595#M585534 MHM Cisco World 2023-12-05T11:24:08Z https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971597#M585535 <P><A href="https://www.google.com/url?sa=t&amp;source=web&amp;rct=j&amp;opi=89978449&amp;url=https://www.cisco.com/c/dam/en/us/support/docs/ios-nx-os-software/identity-based-networking-service/flexible_authentication.pdf&amp;ved=2ahUKEwjJ9dHSl_iCAxXCVvEDHd3mBx4QFnoECBAQAQ&amp;usg=AOvVaw3z5i9twAwNga4buBNcHYyk" target="_blank">https://www.google.com/url?sa=t&amp;source=web&amp;rct=j&amp;opi=89978449&amp;url=https://www.cisco.com/c/dam/en/us/support/docs/ios-nx-os-software/identity-based-networking-service/flexible_authentication.pdf&amp;ved=2ahUKEwjJ9dHSl_iCAxXCVvEDHd3mBx4QFnoECBAQAQ&amp;usg=AOvVaw3z5i9twAwNga4buBNcHYyk</A></P> Tue, 05 Dec 2023 11:25:17 GMT https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971597#M585535 MHM Cisco World 2023-12-05T11:25:17Z https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971746#M585536 <P>If 802.1x fails for whatever reason, do you&nbsp;<EM>really</EM> want to allow access?&nbsp; What if the device is stolen?&nbsp; The thief now has access to your network.&nbsp; Just because another solution allows an insecure workaround it should&nbsp;<STRONG>not</STRONG> be the norm.&nbsp;&nbsp;</P> Tue, 05 Dec 2023 14:56:23 GMT https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971746#M585536 Charlie Moreton 2023-12-05T14:56:23Z https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971752#M585537 <P>What about PXE boot for example? In that case the PC/Laptop does not respond to 802.1x and needs to fall back to MAB. I want to only allow that if it has previously authenticated successfully and not just for any pxe device.</P> Tue, 05 Dec 2023 15:04:49 GMT https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971752#M585537 JonatanSitter 2023-12-05T15:04:49Z https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971759#M585539 <P>Move the endpoint MAC address to a PXE Endpoint Identity Group and reference that in your Authorization Policy</P> Tue, 05 Dec 2023 15:09:38 GMT https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971759#M585539 Charlie Moreton 2023-12-05T15:09:38Z https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971761#M585540 <P>Can that be done automatically?<BR />i.e. if authenticated successfully -&gt; endpoint gets assigned a certain endpoint identity group which later can be referenced in MAB authz policy.</P> Tue, 05 Dec 2023 15:12:25 GMT https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971761#M585540 JonatanSitter 2023-12-05T15:12:25Z https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971769#M585542 <P>It can be, it depends on how you have your profiling and/or EIGs set up as to how you would determine which EIG the endpoints are assigned</P> Tue, 05 Dec 2023 15:20:56 GMT https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4971769#M585542 Charlie Moreton 2023-12-05T15:20:56Z https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4972316#M585553 <P>Could you maybe give me some hints, what to look for?</P> Wed, 06 Dec 2023 12:13:14 GMT https://community.cisco.com/t5/network-access-control/ise-allow-mab-for-endpoints-which-had-successful-dot1-x/m-p/4972316#M585553 JonatanSitter 2023-12-06T12:13:14Z