https://community.cisco.com/t5/network-security/cisco-ise-configuration-no-internet-access/m-p/4849183#M1101258 <P>Which Authorization Profile should it be hitting?&nbsp;<BR />It is hitting the Endpoint ID group, but within the Profile set it is hitting default. I assume because there is no relevant Auth Profile with the BYOD User MAB&nbsp;</P> Tue, 06 Jun 2023 12:01:08 GMT IanTonyBirchall 2023-06-06T12:01:08Z https://community.cisco.com/t5/network-security/cisco-ise-configuration-no-internet-access/m-p/4849060#M1101254 <P>Hello,</P><P>I have been stuck for several days on an ISE authentication problem with SAML.</P><P>Microsoft authentication works fine then the ISE redirects to google.com and it fails to change the authorization profile. As he does not have Internet access with the basic ACL he returns to Microsoft authentication.</P><P>It does add my MAC address in the group: EIG_BYODEndpoints</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jldebelder1984_0-1686045690123.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/186579iE055863EB8BC4515/image-size/medium?v=v2&amp;px=400" role="button" title="jldebelder1984_0-1686045690123.png" alt="jldebelder1984_0-1686045690123.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jldebelder1984_2-1686045882817.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/186583iBC0F0372F9C5A165/image-size/medium?v=v2&amp;px=400" role="button" title="jldebelder1984_2-1686045882817.png" alt="jldebelder1984_2-1686045882817.png" /></span></P><P>my authorization profile:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jldebelder1984_3-1686045940136.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/186587iB2D227127A0D923D/image-size/medium?v=v2&amp;px=400" role="button" title="jldebelder1984_3-1686045940136.png" alt="jldebelder1984_3-1686045940136.png" /></span></P><P>&nbsp;</P><P>If I cut my wifi and restart my connection, I have internet access directly without going through SAML authentication.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jldebelder1984_4-1686045989811.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/186588i8B4765B14FF2B490/image-size/medium?v=v2&amp;px=400" role="button" title="jldebelder1984_4-1686045989811.png" alt="jldebelder1984_4-1686045989811.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 06 Jun 2023 10:07:59 GMT https://community.cisco.com/t5/network-security/cisco-ise-configuration-no-internet-access/m-p/4849060#M1101254 jldebelder1984 2023-06-06T10:07:59Z https://community.cisco.com/t5/network-security/cisco-ise-configuration-no-internet-access/m-p/4849183#M1101258 <P>Which Authorization Profile should it be hitting?&nbsp;<BR />It is hitting the Endpoint ID group, but within the Profile set it is hitting default. I assume because there is no relevant Auth Profile with the BYOD User MAB&nbsp;</P> Tue, 06 Jun 2023 12:01:08 GMT https://community.cisco.com/t5/network-security/cisco-ise-configuration-no-internet-access/m-p/4849183#M1101258 IanTonyBirchall 2023-06-06T12:01:08Z https://community.cisco.com/t5/network-security/cisco-ise-configuration-no-internet-access/m-p/4849219#M1101263 <P>Thank you for your answer.<BR />With the default because it's his first connection.</P><P>What's weird is that when I log back &nbsp;in (<SPAN>after turning off wifi)&nbsp;</SPAN>then it matches with "BYOD USER MAB".</P> Tue, 06 Jun 2023 13:34:10 GMT https://community.cisco.com/t5/network-security/cisco-ise-configuration-no-internet-access/m-p/4849219#M1101263 jldebelder1984 2023-06-06T13:34:10Z https://community.cisco.com/t5/network-security/cisco-ise-configuration-no-internet-access/m-p/4849223#M1101265 <P>After the SAML validation, he adds the mac address in the group but he can't match in the first <SPAN>Authorization Profile</SPAN>.</P> Tue, 06 Jun 2023 13:25:20 GMT https://community.cisco.com/t5/network-security/cisco-ise-configuration-no-internet-access/m-p/4849223#M1101265 jldebelder1984 2023-06-06T13:25:20Z https://community.cisco.com/t5/network-security/cisco-ise-configuration-no-internet-access/m-p/4849263#M1101272 <P>If I am right, the First condition will match MACs in the EIG_BYODEnpoints So that make sense that the authorization is BYOD User MAB.&nbsp;<BR />So the problem is with SAML validation, it should be achieving the same as the MAC is detailed and should be captured within the endpoints correct?<BR /><BR /></P> Tue, 06 Jun 2023 14:07:56 GMT https://community.cisco.com/t5/network-security/cisco-ise-configuration-no-internet-access/m-p/4849263#M1101272 IanTonyBirchall 2023-06-06T14:07:56Z https://community.cisco.com/t5/network-security/cisco-ise-configuration-no-internet-access/m-p/4849919#M1101294 <P>Yes that's right.</P> Wed, 07 Jun 2023 07:59:00 GMT https://community.cisco.com/t5/network-security/cisco-ise-configuration-no-internet-access/m-p/4849919#M1101294 jldebelder1984 2023-06-07T07:59:00Z