Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1901
Views
0
Helpful
4
Replies

Cisco ISE MAB Authentication problems

andreasalberti
Level 1
Level 1

‎11-25-2020 06:50 AM

Good day,

i have a problem where I can't get any further.
Unknown hosts that authenticate themselves via MAB are automatically moved to the "unknown" group.
This group was not created by me.

The client is then allowed into the network.
Ise lets every client into the network as soon as it lands in the unknown group.
Creating a policy which should block the unknown group unfortunately didn't help either.

Could you please provide me some tips on my problem ?
If you need more detailed informations please let me know.

Best regards and thank you in advance

0 Helpful
4 Replies 4

Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-25-2020 08:19 AM

FYSA:

An unknown profile is the default system profiling policy that is assigned to an endpoint, where an attribute or a set of attributes collected for that endpoint do not match with existing profiles in Cisco ISE.

An Unknown profile is assigned in the following scenarios:

  • When an endpoint is dynamically discovered in Cisco ISE, and there is no matching endpoint profiling policy for that endpoint, it is assigned to the unknown profile.
  • When an endpoint is statically added in Cisco ISE, and there is no matching endpoint profiling policy for a statically added endpoint, it is assigned to the unknown profile.

Can you share your mab authz policies? Is your wish to support both mab and dot1x? Are you using any sorts of custom profiling? Do you reference identity groups as a condition in your authz conditions? 

0 Helpful

andreasalberti
Level 1
Level 1
In response to Mike.Cifelli

‎11-25-2020 09:41 AM - edited ‎11-27-2020 09:42 AM

Thank you in advance for your feedback.

We use both 802.1x and mab authentication.

Even if I create a policy "identity group - unknown - deny access" it still gets authenticated.

I attached two pictures.

 

edit*

Profiling is not enabled.

 

Best regards

0 Helpful

andreasalberti
Level 1
Level 1
In response to andreasalberti

‎11-26-2020 07:33 AM - edited ‎11-27-2020 09:42 AM

I've attached another picture.

There is no policy that extends access for the "unknown" identity group.

 

Kind regards

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to andreasalberti

‎11-26-2020 01:48 PM

There is not enough information being provided to help. See How to Ask The Community for Help

From the step data, the session is hitting some AuthZ rule that is returning an ACCESS_ACCEPT. You'll need to either provide more detail on your full Authentication/Authorization Policies, Authorization Profiles involved, etc. or open a case with TAC to investigate further.

0 Helpful
Customers Also Viewed These Support Documents