06-05-2018 08:44 PM - edited 02-21-2020 10:57 AM
Just wondering what is the best way to test 802.1x and MAB authentication using a workgroup without an AD or certificate environment.
06-05-2018 10:56 PM
you can fake this with a clever lab setup - all the tools are available in open source. Have a look at my 3 part series of how to do this
Rapid prototyping ISE Policies without any real networking hardware (part 1)
Rapid prototyping ISE Policies without any real networking hardware (part 2)
Rapid prototyping ISE Policies without any real networking hardware (part 3)
I use this all the time to test EAP-EAP, EAP-TLS, PAP/ASCII auth
06-06-2018 09:09 AM
06-06-2018 03:17 PM
well you could always create local identities (accounts) on ISE and then authenticate against those. Not sure what you mean exactly by matching on workgroup attributes? Maybe an example (I am not a Microsoft jockey ;-> )
06-06-2018 05:58 PM
06-06-2018 06:25 PM
Although I understand the theory of MAB, I don't have much experience with wired switches at the moment. I mostly deal with MAB in the context of wireless guest.
If you are using profiling then perhaps the endpoint gets moved from one Endpoint Identity Group to another. I don't use profiling so I wouldn't know. When I have placed a MAC address in an Endpoint Identity Group then it has always remained there, unless I deleted it via the Context Visibility page, or if I deleted a Sponsored Guest Account via the Sponsor Portal (and that is then the expected behaviour).
06-06-2018 07:19 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide