11-25-2020 06:50 AM
Good day,
i have a problem where I can't get any further.
Unknown hosts that authenticate themselves via MAB are automatically moved to the "unknown" group.
This group was not created by me.
The client is then allowed into the network.
Ise lets every client into the network as soon as it lands in the unknown group.
Creating a policy which should block the unknown group unfortunately didn't help either.
Could you please provide me some tips on my problem ?
If you need more detailed informations please let me know.
Best regards and thank you in advance
11-25-2020 08:19 AM
FYSA:
An unknown profile is the default system profiling policy that is assigned to an endpoint, where an attribute or a set of attributes collected for that endpoint do not match with existing profiles in Cisco ISE.
An Unknown profile is assigned in the following scenarios:
Can you share your mab authz policies? Is your wish to support both mab and dot1x? Are you using any sorts of custom profiling? Do you reference identity groups as a condition in your authz conditions?
11-25-2020 09:41 AM - edited 11-27-2020 09:42 AM
Thank you in advance for your feedback.
We use both 802.1x and mab authentication.
Even if I create a policy "identity group - unknown - deny access" it still gets authenticated.
I attached two pictures.
edit*
Profiling is not enabled.
Best regards
11-26-2020 07:33 AM - edited 11-27-2020 09:42 AM
I've attached another picture.
There is no policy that extends access for the "unknown" identity group.
Kind regards
11-26-2020 01:48 PM
There is not enough information being provided to help. See How to Ask The Community for Help.
From the step data, the session is hitting some AuthZ rule that is returning an ACCESS_ACCEPT. You'll need to either provide more detail on your full Authentication/Authorization Policies, Authorization Profiles involved, etc. or open a case with TAC to investigate further.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide