topic Re: Basic ISE policy behavior in Network Access Control

Basic ISE policy behavior

miller-p — Fri, 17 Oct 2025 18:03:13 GMT

Regarding Authentication, when referencing the Internal Endpoint Database in policy, it seems to me that all profiled nodes will pass authentication since they all get populated into the Endpoint Database upon profiling? If true, the real access control depends on Authorization. In other words, when using MAB, all things (good, bad and ugly) get authenticated, have access to the network and must be stopped or controlled using Authorization?

Can someone please confirm this behavior?

I suppose one could turn off profiling at the expense of its benefits.

Thanks in advance.

Re: Basic ISE policy behavior

Aref Alsouqi — Sat, 18 Oct 2025 08:39:48 GMT

Profiling doesn't play any role here. You're right in saying that any MAC address that is known to ISE would pass authentication when you point to the internal endpoints database but only if that MAC address was seen by ISE. Essentially, if ISE ever stored that MAC address in its internal database and you use that database as the identity source for authentication then yes, authentication for that device will pass and the decision will happen based on the authorization policy. Inother interesting use case would be with guest users. The guest endpoints usually are not managed by ISE and they come to ISE as new endpoints, so ISE wouldn't have any of those endpoints MAC addresses stored in its database. So, to allow them access to their isolated network we change a setting in the authentication rule saying if the authentication fails consider it as passed anyway. In simple words we're telling ISE don't worry about if you know that MAC or not, just pass it, and then we enforce the access of those guests on the authorization rules. You could add a condition in the authorization rule to check if the authentication has passed, but that won't change much because if the MAC is already known to ISE it means it has passed the authentication.

Re: Basic ISE policy behavior

Arne Bier — Sun, 19 Oct 2025 22:13:31 GMT

One small addition to what Aref said in the last sentence - as mentioned, for MAB Authentication to work, it's required to change the ISE default setting for "User not found" to CONTINUE

If you want to create a final "Catch all" Authorization Rule to process endpoints that ISE sees for the first time (Unknown User), or ones it has seen before but didn't match any AuthZ rules (Not Unknown, but also Auth Passed), you can create a Rule as below

I don't like using the Default AuthZ rule, because I can't modify the name to reflect the rule's logic - I use a naming convention in my AuthZ rules to filter for things in Live Logs and Context Visibility.