cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
956
Views
5
Helpful
8
Replies

Cisco ISE MAB Authentication Problem

andrew.agaba
Level 1
Level 1

Hello Colleagues,

 

The challenge I have this is authenticating and authorising devices connected to SG500-52P switches using MAB.

The ISE v2.3 receives the MAC addresses but does not process any defined policy set but the default deny.

Yet when these same devices are connected to other switches, ISE v2.3 receives the MAC addresses and successfully authenticates and authorises them against policy sets defined.

Question is, how can I create get ISE v2.3 to authenticate and authorise devices connected to these SG500-52P switches using MAB. 

8 Replies 8

andrew.agaba
Level 1
Level 1
 

This is a radius log for the same device connected to another switch succeeds with MAB

andrew.agaba
Level 1
Level 1
 

This is a radius log for when a device connected to the SG500 switch fails

MAB fails on the SG500 because Internal Endpoints is not queried as the identity store and I suspect it is because of the RADIUS attribute the switch is sending to ISE.  It succeeds because other switches are sending RADIUS: Service-type = Callcheck.  You'll have to create a custom device profile for the SG500 that describes how that particular switch does MAB.

Thank you Timothy, so how do I write a policy set specifically for the SG500 MAB. Because the positive sign  here is that ISE successfully receives the MAC addresses.  Like how do you think the custom device profile should be created with conditions that will match MAC addresses from SG500 switches.

It finally worked, thanks again Timothy. I had to create a custom policy set for Devices with MAC addresses originating from SG500 switches as you said. The policy set was created using help from this post as well:

https://community.cisco.com/t5/security-documents/sg500-nad-config/ta-p/3643438

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: