Solved: Re: 802.1x and Mab same policy

JonathanC1 · ‎04-27-2023

Hi folks,

I’ve got a specific use case whereby we need to use peap-mschapv2 and add a condition where by the device has to be in a endpoint identity group by mac.

For example the workflow - User connects to wireless with an ssid that is 802.1x enabled and then authenticated like usual with peap + mschapv2. The authorisation policy then needs to to include the group they are in AD I.e domain users AND also the device needs to be an endpoint identity group with their MAC address. They then get the authorisation result I.e Permit.

Is this possible or am I overthinking

BW

Jon

Nancy Saini · ‎04-27-2023

You can create an authentication policy with AD as identity source and in the authorization policy put endpoint group as the condition. This should cover your scenario

View solution in original post

thomas · ‎05-07-2023

Yes. You should have just tried it. 8-)

View solution in original post

Nancy Saini · ‎04-27-2023

You can create an authentication policy with AD as identity source and in the authorization policy put endpoint group as the condition. This should cover your scenario

JonathanC1 · ‎04-27-2023

So can’t do both with the condition? E.g if user is in a certain group in ad. Thx

Dustin Anderson · ‎04-27-2023

authentication would be one of the conditions to get to the policies IE, user is a user in AD, then use the conditions in the policy rules to verify any group membership etc.

Example for us is for a wireless device to go on internal network, we have ISE keep a record of devices themselves and call to check that the MAC is a domain PC with the WasMachineAuthenticated.

If, you are looking to check both in AD, you can do EAP chaining, but that will just check a user and that it's a domain PC, not check for specific groups.

thomas · ‎05-07-2023

Yes. You should have just tried it. 8-)