This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have a MAB policy set where I permit various endpoints with some different profiler policies/logical profiles I’ve defined. Then the last rule is a default deny access.
We have a subnet which we allow guests to connect on, and we want them to get permitted regardless of what device they bring. So I want to add a rule just before the last rule which would permit any device coming from that subnet – I don’t care what profiler policy it matched. The problem is I can’t figure out a way to get this to work.
What I’ve tried/considered:
Any ideas on how to accomplish this are appreciated.
Solved! Go to Solution.
i see you posted to our internal PM community. Why can't you just assign an SGT to utilize? Or if guest flow or guest endpoint give a different authorization profile?
Interesting idea. In this case it wouldn't work for me though because we also have a bunch of other devices (security cameras, printers, etc.) that are allowed onto the network using profiling and they aren't joined to the domain. Cisco TAC and AS also looked into this and they said this specific flow can't be done today. I think a feature request is in the works though.
Option 4 would be the best. Currently the IOS cannot send interface description, but can send data VLAN ID/Name that the interface is configured with 'switchport access vlan XXX' command. The other option is to use 'mab eap' on the specific guest interfaces where ISE can differentiate based on MAB request protocol. I have documented few options here: https://community.cisco.com/t5/security-documents/advanced-ise-tips-to-make-your-deployment-easier/ta-p/3850189#toc-hId--1934452079
Thanks so much for this info. It would be great if IOS could send the interface description. And VLAN ID/Name is useful too, although unfortunately most of our switches are on 16.x but before 16.12 where this was fixed. I will try out the "mab eap" idea and report back.
I've been testing this out and I am able to get it working. One caveat I have noticed is that if the MAC address is already in ISE, I have to delete the endpoint first for the new NAS-Identifier attribute to show up in ISE (and thus hit the correct authorization rule).
The caveat seems due to how the rules are ordered in the authorization policy of your policy set. If you would like such to pre-exempt all others, we could move it to Local/Global Exceptions.
I tried the 'mab eap' method but am running into an issue. I configured 'mab eap' on the switchport, and in ISE I configured the policy condition to simply match the switch the request is coming from, and then an authorization rule for eap authentication = eam-md5. However on the switch, when the endpoint connects, it looks like this:
May 6 10:24:19.540: %DOT1X-5-FAIL: Authentication failed for client (949a.a927.9cb2) on Interface Gi0/10 AuditSessionID 0A909A4800003EC8EA4D4CC9
May 6 10:24:19.558: %MAB-5-FAIL: Authentication failed for client (949a.a927.9cb2) on Interface Gi0/10 AuditSessionID 0A909A4800003EC8EA4D4CC9
Switch#sh auth sess
Interface MAC Address Method Domain Status Fg Session ID
Gi0/10 949a.a927.9cb2 N/A UNKNOWN Unauth 0A909A4800003EC8EA4D4CC9
Here's what I have in ISE:
Can you tell me what I might be doing wrong?
As you have a working solution, I would suggest you not to continue with this other idea of using EAP MAB.
Otherwise, please involve TAC and AS to troubleshoot. It's hard for us to tell what the issue might be without looking at the full policy sets and the auth reports.