04-25-2019 12:57 AM
Hello Colleagues,
The challenge I have this is authenticating and authorising devices connected to SG500-52P switches using MAB.
The ISE v2.3 receives the MAC addresses but does not process any defined policy set but the default deny.
Yet when these same devices are connected to other switches, ISE v2.3 receives the MAC addresses and successfully authenticates and authorises them against policy sets defined.
Question is, how can I create get ISE v2.3 to authenticate and authorise devices connected to these SG500-52P switches using MAB.
04-25-2019 02:54 AM
04-25-2019 02:58 AM
04-25-2019 02:55 AM
04-25-2019 02:57 AM
04-25-2019 08:10 AM
MAB fails on the SG500 because Internal Endpoints is not queried as the identity store and I suspect it is because of the RADIUS attribute the switch is sending to ISE. It succeeds because other switches are sending RADIUS: Service-type = Callcheck. You'll have to create a custom device profile for the SG500 that describes how that particular switch does MAB.
04-25-2019 11:57 PM
Thank you Timothy, so how do I write a policy set specifically for the SG500 MAB. Because the positive sign here is that ISE successfully receives the MAC addresses. Like how do you think the custom device profile should be created with conditions that will match MAC addresses from SG500 switches.
04-26-2019 03:15 AM
It finally worked, thanks again Timothy. I had to create a custom policy set for Devices with MAC addresses originating from SG500 switches as you said. The policy set was created using help from this post as well:
https://community.cisco.com/t5/security-documents/sg500-nad-config/ta-p/3643438
04-26-2019 03:44 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: