03-07-2019 09:54 AM - edited 02-21-2020 11:03 AM
Scenario:
I have a MAB policy set where each rule permits a profiler policy/logical profile I’ve defined. Then the last rule is a default deny access.
We have a subnet which we allow guests to connect on, and we want them to get permitted regardless of what device they bring or what endpoint profile it ends up being. So I want to add a rule just before the last rule which would permit any device coming from that subnet – I don’t care what profiler policy it matched. The problem is I can’t figure out a way to get this to work.
What I’ve tried/considered:
Any ideas on how to accomplish this are appreciated!
Thanks
Shaan
03-13-2019 02:54 PM
Can you share what you are trying to solve at a higher level as there may be better ways that using IP address.
IP address is not a good condition to match on. IP addresses are often assigned post-authentication and as you have seen from your test initial authentication request will not have the IP address and cannot be used a authentication condition. Most of the time network device sends IP address in the authentication request is when the endpoint is reauthenticating (Meaning it has been on the network already). In general network devices will send IP in the accounting request post-authentication.
If you can provide business requirement there may be other ways to address the issue. Thanks.
03-13-2019 08:00 PM
Part of the problem is your default rule at the bottom shouldn't be a deny access unless you are in a complete whitelist setup. If you are doing profiling of any kind you want to all the devices onto the network in a Limited Access state. The DACL applied would allow them to do DNS (if you want to redirect them to a limited access portal) and access to the ISE PSNs. This will ISE to scan devices with NMAP and SNMP to gather data. Also by letting the device onto the network it will get an IP and you can profile by IP. So the scenario would be (assuming you are running 2.4 patch 6 which fixes the CoA on reprofile issue):
03-14-2019 02:40 AM
Heres is a suggestion from another thread
Maybe also worth running some AAA debugs and see what attributes you could perhaps match on.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide