topic Re: Unauthorized Endpoint Access Issue with Wireless MAB Authenticatio in Network Access Control

Unauthorized Endpoint Access Issue with Wireless MAB Authentication

tamer01 — Sun, 05 Jan 2025 19:43:06 GMT

I am facing an issue with Cisco ISE version 3.3. I created a policy for wireless MAB authentication to restrict access for certain endpoints, as shown in the attached image. However, unauthorized endpoints are still able to connect to the SSID by matching the default ‘Default_Authenticated_Access’ policy. Disabling this policy causes issues with access to other SSIDs. How can I resolve this?

Re: Unauthorized Endpoint Access Issue with Wireless MAB Authenticatio

MHM Cisco World — Sun, 05 Jan 2025 19:51:20 GMT

Can I see policy set you use in ISE

MHM

Re: Unauthorized Endpoint Access Issue with Wireless MAB Authenticatio

Flavio Miranda — Sun, 05 Jan 2025 20:00:50 GMT

@tamer01

How are you matching the Mac address?

If you disable the Default_Authenticated_Access other SSID is impacted, maybe is better review your policies.

Re: Unauthorized Endpoint Access Issue with Wireless MAB Authenticatio

tamer01 — Sun, 05 Jan 2025 20:32:19 GMT

@Flavio Miranda @MHM Cisco World
Here’s the authentication and authorization policies.
as I said before the unauthorized mac hits in basic_authenticated_access policy as shown in live logs

Re: Unauthorized Endpoint Access Issue with Wireless MAB Authenticatio

tamer01 — Sun, 05 Jan 2025 20:17:13 GMT

After disabling Default_Authenticated_Access, trying to associate and loading not gaining access for all ssids MAB or dot1x

Re: Unauthorized Endpoint Access Issue with Wireless MAB Authenticatio

Flavio Miranda — Sun, 05 Jan 2025 21:26:03 GMT

@tamer01

I am looking the print over a smartphone. I can not see where you setup the wlan ID for Mab.

Re: Unauthorized Endpoint Access Issue with Wireless MAB Authenticatio

MHM Cisco World — Sun, 05 Jan 2025 21:35:46 GMT

called-id <<- how you config this in WLC and under policy set, I see only end with can you more elborate

MHM

Re: Unauthorized Endpoint Access Issue with Wireless MAB Authenticatio

tamer01 — Mon, 06 Jan 2025 07:19:15 GMT

@MHM Cisco World @Flavio Miranda

I’m using condition called-station-Id ends with “ssid name”.

FYI the unauthorized MACs assigned to policy’s SGT or authorization profile and it shouldn’t be happened.

I mean that unauthorized devices assign the vlan and take ip address from vlan pool then hit in basic_ authenticated_access policy

I don’t know if it’s related with authentication policy or not

Re: Unauthorized Endpoint Access Issue with Wireless MAB Authenticatio

MHM Cisco World — Mon, 06 Jan 2025 07:21:28 GMT

can you add match called-id (with SSID) for guest policy ?

MHM

Re: Unauthorized Endpoint Access Issue with Wireless MAB Authenticatio

tamer01 — Mon, 06 Jan 2025 08:52:38 GMT

@MHM Cisco World

Already added. Check highlights

Re: Unauthorized Endpoint Access Issue with Wireless MAB Authenticatio

MHM Cisco World — Thu, 09 Jan 2025 08:04:09 GMT

I will send you PM tomorrow

MHM

Re: Unauthorized Endpoint Access Issue with Wireless MAB Authenticatio

Arne Bier — Thu, 09 Jan 2025 21:03:48 GMT

What your very first screenshot tells me, is that you have built a bunch of Authentication Rules under a single Policy Set.

You have not shown us your top-level Policy Set - and I think this is where the problem lies.

You should create a Separate Policy Set for each type of Policy - e.g. in the top-level ISE Policy Set, create stuff like this:

If you want to build logic for Wireless MAB, then click into the Wireless MAB Policy (click on the far right ' > ' icon, and then start building Authentication and Authorization logic.

If you have a bunch of SSIDs, then you can also keep the Policy Set nice and tidy by creating one Policy per SSID at the top level. That would obviously also be the case for separating Guest Wireless (Wireless_MAB & Normalised SSID Contains 'GUEST') and 802.1X (Wireless_802.1X & Normalised SSID Contains 'Corp') -etc.

The Smart Condition 'Wireless_MAB' assumes that your NAD has been tagged with the appropriate vendor (e.g. Cisco, HP etc.) since some NAD devices send different RADIUS attributes during MAB - ISE abstracts this with 'Wireless_MAB'. You can further abstract the SSID name with the Smart Condition 'Normalised RADIUS: SSID' instead of referring to Called-Station-ID (under the hood it uses Called-Station-ID, but the SSID condition is more descriptive to the human).

I noticed that your Guest Redirection Rule 'UTC-Guest_GuestAccessPolicy' comes AFTER the 'UTC-Guest_RediretPolicy' - the logic is wrong - if your Rule is Wireless MAB & SSID UTC-Guest, then this will be true every time, and the rule that follows it won't ever be matched. You need to swap them around - the more specific Rules must always come before the less specific rules, when there is common logic. And also 'UTC Guest Redirect' rule is the wrong description - swap the descriptions of the UTC Guest Rules.

If wireless MAB is failing through to the default Policy, then it means that ISE is not matching all the conditions, and perhaps the NAD is not sending the attributes you expect.

Is the NAD Cisco AireOS, 9800, Meraki ,or what?

e.g. If I recall, Meraki uses PAP authentication, and not MAB. That requires a different set of Rules.

But I think your main issue is that you have not split out your Policy Sets to make the logic clear/clean.

Re: Unauthorized Endpoint Access Issue with Wireless MAB Authenticatio

tamer01 — Thu, 09 Jan 2025 22:42:29 GMT

@Arne Bier You are right.

Regarding guest, it’s created by cisco catalyst center with this sequence.

Re: Unauthorized Endpoint Access Issue with Wireless MAB Authenticatio

Arne Bier — Thu, 09 Jan 2025 22:56:36 GMT

Are you getting hits on the UTC Guest_GuestAccessPolicy? And does Guest work as expected?

Unless I missed something, the second Rule should have no hits, because it makes no logical sense in that order, because ISE does not look ahead in the rules to see if there is a better match - it stops when the conditions satisfy the Boolean operator - in this case it's an AND, which means both conditions must be TRUE to make the AND operator succeed.

Re: Unauthorized Endpoint Access Issue with Wireless MAB Authenticatio

MHM Cisco World — Fri, 10 Jan 2025 00:40:04 GMT

so in end it solved or NOT ? can you confirm

Thanks a lot

MHM