Solved: Cisco ISE - Authenticate WIFI Devices Using MAB, Block All Others

cheery Tomato · ‎10-28-2019

I am trying to setup WIFI authenticating MAB devices via Cisco ISE.

The authentication comes through to Cisco ISE and the devices connect but I am getting other devices as well.

I want to restrict authentication to my list of devices only and block all others.

All I can seem to point to for a list of devices is Internal Endpoints, which just seems to be everything.

Refer to attached for the authentication policy.

Running ISE 2.2.0.470

Any help is greatly appreciated.

Cheers.

CarlCarlson1234 · ‎10-28-2019

The pictures you provided are of your Authentication Policy. MAB will essentially authenticate anything within your Internal Endpoint database. You'll need to add all of the mac addresses of the devices you want to connect to this SSID into some sort of endpoint group. Then call that group out in your Authorization policy as permit then deny everything else.

Of course, as with all mab authentications you open yourself up to mac spoofing. So be wary of the implications of that.

View solution in original post

CarlCarlson1234 · ‎10-28-2019

The pictures you provided are of your Authentication Policy. MAB will essentially authenticate anything within your Internal Endpoint database. You'll need to add all of the mac addresses of the devices you want to connect to this SSID into some sort of endpoint group. Then call that group out in your Authorization policy as permit then deny everything else.

Of course, as with all mab authentications you open yourself up to mac spoofing. So be wary of the implications of that.