Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
213
Views
1
Helpful
2
Replies

Basic ISE policy behavior

miller-p
Level 1
Level 1

‎10-17-2025 11:03 AM

Regarding Authentication, when referencing the Internal Endpoint Database in policy, it seems to me that all profiled nodes will pass authentication since they all get populated into the Endpoint Database upon profiling?  If true, the real access control depends on Authorization.  In other words, when using MAB, all things (good, bad and ugly) get authenticated, have access to the network and must be stopped or controlled using Authorization?

Can someone please confirm this behavior?

I suppose one could turn off profiling at the expense of its benefits.

Thanks in advance.

Labels:
0 Helpful
2 Replies 2

Aref Alsouqi
VIP
VIP

‎10-18-2025 01:39 AM

Profiling doesn't play any role here. You're right in saying that any MAC address that is known to ISE would pass authentication when you point to the internal endpoints database but only if that MAC address was seen by ISE. Essentially, if ISE ever stored that MAC address in its internal database and you use that database as the identity source for authentication then yes, authentication for that device will pass and the decision will happen based on the authorization policy. Inother interesting use case would be with guest users. The guest endpoints usually are not managed by ISE and they come to ISE as new endpoints, so ISE wouldn't have any of those endpoints MAC addresses stored in its database. So, to allow them access to their isolated network we change a setting in the authentication rule saying if the authentication fails consider it as passed anyway. In simple words we're telling ISE don't worry about if you know that MAC or not, just pass it, and then we enforce the access of those guests on the authorization rules. You could add a condition in the authorization rule to check if the authentication has passed, but that won't change much because if the MAC is already known to ISE it means it has passed the authentication.

Arne Bier
VIP
VIP
In response to Aref Alsouqi

‎10-19-2025 03:13 PM

One small addition to what Aref said in the last sentence - as mentioned, for MAB Authentication to work, it's required to change the ISE default setting for "User not found" to CONTINUE

 

ArneBier_0-1760911604649.png

 

If you want to create a final "Catch all" Authorization Rule to process endpoints that ISE sees for the first time (Unknown User), or ones it has seen before but didn't match any AuthZ rules (Not Unknown, but also Auth Passed), you can create a Rule as below

ArneBier_1-1760911848777.png

I don't like using the Default AuthZ rule, because I can't modify the name to reflect the rule's logic - I use a naming convention in my AuthZ rules to filter for things in Live Logs and Context Visibility.

 

  

0 Helpful
Customers Also Viewed These Support Documents