cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

194
Views
0
Helpful
3
Replies
Cisco Employee

Unable to rely on identity source sequence for MAB

Hi,

 

My customer has two different ISE clusters used for MAB (one in US, another one in EU). They would like to authenticate US devices visiting EU.

The idea was to rely on an identity source sequence, if the MAC was not in the EU internal id store, we'd query the US server.

Unfortunately, even with profiling disabled, it seems ISE is automatically adding any MAC address seen to the local identity store (when exactly was that introduced?). 

That means, as soon as a US device has been seen in EU, we would never query the US server anymore to authenticate it!

Is there any other way of achieving this? Ideally, we should be able to create an Id source sequence based on the "registered" endpoint group... (see also CSCvh72022 even if this is sth specific to profiling).

 

Thx,

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advocate

Re: Unable to rely on identity source sequence for MAB

This comes down to a matter of Authorization versus Authentication.  To facilitate profiling and many other services, the endpoint is typically allowed to authenticate and move to authorization phase.  This is where you could apply controls as to whether the endpoint is denied access, or allowed privileged access based on its profile, registration status, or other attribute.  You could try using RADIUS Token server to point to other ISE deployment and match policy conditions to the endpoint ID group or other supported attribute in foreign deployment.  As a RADIUS Token server, the foreign ISE server could return a single attribute for use in local policy decisions. 

 

Craig

3 REPLIES 3
Contributor

Re: Unable to rely on identity source sequence for MAB

One easy way to get around that issue would be to have one deployment.
Thanks,
Alex
VIP Engager

Re: Unable to rely on identity source sequence for MAB

Are you sure they don't have Unknown User set to Continue in the authentication policy for MAB.  You almost always have to enable that option when doing MAB to allow unknown MACs into the system.

Highlighted
Advocate

Re: Unable to rely on identity source sequence for MAB

This comes down to a matter of Authorization versus Authentication.  To facilitate profiling and many other services, the endpoint is typically allowed to authenticate and move to authorization phase.  This is where you could apply controls as to whether the endpoint is denied access, or allowed privileged access based on its profile, registration status, or other attribute.  You could try using RADIUS Token server to point to other ISE deployment and match policy conditions to the endpoint ID group or other supported attribute in foreign deployment.  As a RADIUS Token server, the foreign ISE server could return a single attribute for use in local policy decisions. 

 

Craig