Solved: Re: Howto create Endpoint in "Internal Endpoints" Identity Store?

Henrik V. Meyer [DK] · ‎08-26-2017

Hi,

I have a hard time rapping my head around how to create Endpoints in the "Internal Endpoints" Identity Store used for MAC Address Bypass (MAB) without it needs to be profiled by either RADIUS or DHCP.

ISE 2.1 patch 4 in standalone mode
Profiling is "turned off" (All "Profiling Configuration" check boxes under the ISE node is disabled)
Endpoint MAC is added under "Work Centers -> Network Access -> Identities -> Endpoints"

When I authenticate an Endpoint using MAB I get the "Authentication failed" and "22056 Subject not found in the applicable identity store(s)" even if I just created the Endpoint/MAC as above.

As soon as I enable either RADIUS or DHCP profiling under "Profiling Configuration" on my ISE node - everything works like a charm.

But I do not want to use profiling - I want to manually add my endpoints.

I might be way off, so please help

Thanks

Regards

Henrik Meyer [DK]

Craig Hyps · ‎08-26-2017

I suggest opening a TAC case. There may be a delay in the propagation of the endpoint to the endpoint DB. The import screen is actually displaying information for a separate database which is optimized for searching and display. There is a separate database used for auth and profile functions. If not able to immediately auth against newly imported endpoint, then could be defect.

Craig

View solution in original post

Craig Hyps · ‎08-26-2017

I suggest opening a TAC case. There may be a delay in the propagation of the endpoint to the endpoint DB. The import screen is actually displaying information for a separate database which is optimized for searching and display. There is a separate database used for auth and profile functions. If not able to immediately auth against newly imported endpoint, then could be defect.

Craig

Henrik V. Meyer [DK] · ‎08-27-2017

It is getting "better".

In ISE 2.3 even if "RADIUS Profiling" is turned off. Unknown Endpoints to ISE are being profiled using RADIUS Probe, automatic created in the "Internal Endpoint" database and MAB authenticated..

I must for sure be missing something here - this cannot be true.

paul · ‎08-27-2017

I think you a bit confused on what profiling is and when it is actually used. Having profilers enabled doesn't consume any licenses until you use those profiling policies in a authorization rule. So having RADIUS profiler enabled doesn''t mean you are using profiling to authenticate anything.

Go to the Endpoint Identity Groups screen build a new folder called "My_Whitelists", build as many whitelists as you want in the system and start adding your MAC addresses to them and using those whitelists in rules. Only MAC addresses in your whitelists will be allowed on the network just as you want and they could all be profiled as well. This is not an either or situation.

Henrik V. Meyer [DK] · ‎08-27-2017

Thanks Paul,

Still leaves me with 2 unsolved questions.

ISE 2.1: even if I created a manual whitelist - Endpoints are not being found in the "Internal Endpoint Database" if I do not turn on "RADIUS Profiling"

ISE 2.3: when "RADIUS Profiling" is disabled - Endpoints is still being "Profiled" and Created in the "Internal Endpoint Database", so they will pass MAB Authentication no matter what.

paul · ‎08-27-2017

Yea I no sure why having RADIUS profiling disabled matters either. You are correct about passing authentication. I usually don’t even think about authentication because for the most part it is irrelevant because all the magic in ISE happens in the authorization policy. I intentionally keep my authentication section as simple as possible.

Also you said you were unchecking the actual profilers. Why aren’t you just disabling the profiling service on the PSN?

Also be careful on what I was saying about the whitelists. If your bottom rule in the authorization section denies access and your switch is running in Open mode you are still going to be allowing devices on. Open mode ignores RADIUS rejects. I never send a RADIUS reject in a wired deployment. Always an accept with a DACL to control access.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Henrik V. Meyer [DK] · ‎08-27-2017

Hi Paul,

Once again, thanks for your time to answer my post.

Even if I convert my ISE node from "Standalone" to "Primary" and disable/uncheck "Profiling" as a service - ISE still does RADIUS Probe profiling.. this is so weird..

I know my issue may not be relevant in a real world scenario, but when labbing for the CCIE Security Lab Exam, I want to understand the entire system and process behind it.. and I just found this to be very odd..

Maybe I should just let it go - and don't think about Authentication, but only Authorization on "not unknown" Endpoints and only on either pre-defined static Endpoint mappings or "auto" Profiled Endpoints

paul · ‎08-27-2017

I think what you are seeing now is just a cosmetic tagging thing in the Context Visibility screen. You said in 2.3 it was working but you saw that the source was RADIUS profiling listed as source. I am guessing that is there because it is receiving a MAB RADIUS transaction about that Endpoint.

Like you said having profiling completely disabled is not going to be something you come across often in an install. I think in 70+ installs I have had one customer that did that. They just disabled the check box for profiling but nothing underneath the profiler screen was touched.

Best of luck in your studies!

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250