cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

557
Views
5
Helpful
8
Replies
andrew.agaba
Beginner

Cisco ISE MAB Authentication Problem

Hello Colleagues,

 

The challenge I have this is authenticating and authorising devices connected to SG500-52P switches using MAB.

The ISE v2.3 receives the MAC addresses but does not process any defined policy set but the default deny.

Yet when these same devices are connected to other switches, ISE v2.3 receives the MAC addresses and successfully authenticates and authorises them against policy sets defined.

Question is, how can I create get ISE v2.3 to authenticate and authorise devices connected to these SG500-52P switches using MAB. 

8 REPLIES 8
andrew.agaba
Beginner

 

This is a radius log for the same device connected to another switch succeeds with MAB
andrew.agaba
Beginner

 

This is a radius log for when a device connected to the SG500 switch fails

MAB fails on the SG500 because Internal Endpoints is not queried as the identity store and I suspect it is because of the RADIUS attribute the switch is sending to ISE.  It succeeds because other switches are sending RADIUS: Service-type = Callcheck.  You'll have to create a custom device profile for the SG500 that describes how that particular switch does MAB.

Thank you Timothy, so how do I write a policy set specifically for the SG500 MAB. Because the positive sign  here is that ISE successfully receives the MAC addresses.  Like how do you think the custom device profile should be created with conditions that will match MAC addresses from SG500 switches.

It finally worked, thanks again Timothy. I had to create a custom policy set for Devices with MAC addresses originating from SG500 switches as you said. The policy set was created using help from this post as well:

https://community.cisco.com/t5/security-documents/sg500-nad-config/ta-p/3643438

 

 

Content for Community-Ad