topic I am not able to locate the in Network Access Control

Wifi MAC authentication on ISE 1.3

y.lo — Mon, 11 Mar 2019 05:29:41 GMT

We are trying to configure ISE to authenticate wifi user through WLC using MAC address.

ISE checks against internal endpoint identity store for authorized MAC address.

We found that the first time a wifi device tries to connect (this MAC address has not yet been manually input in the internal endpoint identity store) the authentication fails which is normal. However after this authentication failure, such MAC address will be automatically input in the internal endpoint identity store. So next time the same wifi device tries to connect the authentication will succeed.

How to configure ISE to prevent this from happening?

An "authorized" mac address

jan.nielsen — Wed, 25 Feb 2015 18:37:18 GMT

An "authorized" mac address should be so, by putting it into a specific group in ISE manually, so that you have to move it there to allow it to connect. Then update your authz rule to only allow mac adresses from that specific internal group.

Just so we are clear, this is not for guest access right? Is it just an open ssid where you wan't to control what mac addresses are allowed on there ?

Yes they are authorized and

y.lo — Thu, 26 Feb 2015 01:54:38 GMT

Yes they are authorized and not guest. I already put them into a endpoint identity Group. However in the authorization policy I can only select the built-in default internal endpoint identity group, not the one I created. However can I select the one I created?

Hi Daniel,Make sure that in

krishnangangster — Sun, 01 Mar 2015 06:00:00 GMT

Hi Daniel,

Make sure that in your Authentication Policy for MAB, If the user not found, give the option as

Drop.

Try with that.

When you create the identity

bikespace — Tue, 03 Mar 2015 22:53:34 GMT

When you create the identity group that you want to use in profiling, make sure you select "Yes, create matching Identity Group".

The group will become available for selection in your policy.

Otherwise, as you've found, every endpoint in the whole system will be allowed on by default.

I am not able to locate the

y.lo — Mon, 20 Jul 2015 08:18:41 GMT

I am not able to locate the item "Yes, create matching Identity Group" when creating the identity group.

Could you advise the specific location? Thanks a lot.

I tried giving the option as

y.lo — Mon, 20 Jul 2015 08:20:27 GMT

I tried giving the option as Drop, but the MAC address is still stored in the internal endpoint database. And thus next time the same device authenticates, the authentication is successful, which is not desired.