Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
977
Views
0
Helpful
3
Replies

Unable to rely on identity source sequence for MAB

Go to solution
jdal
Cisco Employee
Cisco Employee

‎08-06-2018 08:42 AM

Hi,

 

My customer has two different ISE clusters used for MAB (one in US, another one in EU). They would like to authenticate US devices visiting EU.

The idea was to rely on an identity source sequence, if the MAC was not in the EU internal id store, we'd query the US server.

Unfortunately, even with profiling disabled, it seems ISE is automatically adding any MAC address seen to the local identity store (when exactly was that introduced?). 

That means, as soon as a US device has been seen in EU, we would never query the US server anymore to authenticate it!

Is there any other way of achieving this? Ideally, we should be able to create an Id source sequence based on the "registered" endpoint group... (see also CSCvh72022 even if this is sth specific to profiling).

 

Thx,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to paul

‎08-06-2018 12:41 PM

This comes down to a matter of Authorization versus Authentication.  To facilitate profiling and many other services, the endpoint is typically allowed to authenticate and move to authorization phase.  This is where you could apply controls as to whether the endpoint is denied access, or allowed privileged access based on its profile, registration status, or other attribute.  You could try using RADIUS Token server to point to other ISE deployment and match policy conditions to the endpoint ID group or other supported attribute in foreign deployment.  As a RADIUS Token server, the foreign ISE server could return a single attribute for use in local policy decisions. 

 

Craig

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Alex Pfeil
Level 7
Level 7

‎08-06-2018 08:52 AM

One easy way to get around that issue would be to have one deployment.
Thanks,
Alex
0 Helpful

Go to solution
paul
Level 10
Level 10

‎08-06-2018 11:51 AM

Are you sure they don't have Unknown User set to Continue in the authentication policy for MAB.  You almost always have to enable that option when doing MAB to allow unknown MACs into the system.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to paul

‎08-06-2018 12:41 PM

This comes down to a matter of Authorization versus Authentication.  To facilitate profiling and many other services, the endpoint is typically allowed to authenticate and move to authorization phase.  This is where you could apply controls as to whether the endpoint is denied access, or allowed privileged access based on its profile, registration status, or other attribute.  You could try using RADIUS Token server to point to other ISE deployment and match policy conditions to the endpoint ID group or other supported attribute in foreign deployment.  As a RADIUS Token server, the foreign ISE server could return a single attribute for use in local policy decisions. 

 

Craig

0 Helpful
Customers Also Viewed These Support Documents