This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
The challenge I have this is authenticating and authorising devices connected to SG500-52P switches using MAB.
The ISE v2.3 receives the MAC addresses but does not process any defined policy set but the default deny.
Yet when these same devices are connected to other switches, ISE v2.3 receives the MAC addresses and successfully authenticates and authorises them against policy sets defined.
Question is, how can I create get ISE v2.3 to authenticate and authorise devices connected to these SG500-52P switches using MAB.
MAB fails on the SG500 because Internal Endpoints is not queried as the identity store and I suspect it is because of the RADIUS attribute the switch is sending to ISE. It succeeds because other switches are sending RADIUS: Service-type = Callcheck. You'll have to create a custom device profile for the SG500 that describes how that particular switch does MAB.
Thank you Timothy, so how do I write a policy set specifically for the SG500 MAB. Because the positive sign here is that ISE successfully receives the MAC addresses. Like how do you think the custom device profile should be created with conditions that will match MAC addresses from SG500 switches.
It finally worked, thanks again Timothy. I had to create a custom policy set for Devices with MAC addresses originating from SG500 switches as you said. The policy set was created using help from this post as well: