cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5983
Views
8
Helpful
20
Replies

client cannot use MAC authentication with ISE

sbmc014
Level 4
Level 4

Hi , PC want to use MAC authentication with ISE but fail , i made the document for detail process and result (as attachment) , Could you help me to figure it out ? thx

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

Following NAD Profile settings should allow you to match against wired MAB. However, it does not have wired 802.1X, since I am not sure what attributes gets sent from D-Link during 802.1X. Contact me directly at howon@cisco.com and I can assist with creating the NAD profile that works with both MAB and 802.1X.

Screen Shot 2018-05-07 at 10.19.53 AM.png

View solution in original post

20 Replies 20

ognyan.totev
Level 5
Level 5

The trick here is on authentication rule for MAB change if user not found continue

thanks for your reply , i adjust setting follow your suggestion :

add one more auth policy.jpg

i add one more policy in authentication for "wired_MAB" but i got the same result , and i found the hits=0 , that is meaning this policy does not active when communicate period between switch & ISE , right ?

do i miss something to configure ?

smashash
Cisco Employee
Cisco Employee

Hi,

Please try attached NAD profile.

1. Import attached NAD profile into your ISE ( under Administration > network resources > network Device Profiles)

2. Configure the network device using this NAD profile in network devices page

3. Change in authentication policy options “If user not found > Continue”

4. Do MAB authentication

HTH,

I think the profile that Salomon uploaded looks correct.  In my quick analysis the Service-Type was originally not being matched. And also the hard coding of MAC addresses in profiles is a no no.  With the new device profile attached, you can use a Normalised Smart Condition "Wired_MAB" which will now include the new DLINK Device Profile.  Create a Policy Set Condition using Wired_MAB as your condition and that's that.

If the MAC address is in the Endpoint Identity Group then return access-accept (and remember that the Result Policy either has to be the same Vendor Type (i.e. DLINK) or vendor neutral (i.e. remove the vendor icon).  The default PermitAccess should do the job (unless of course you need other attributes returned).

As for the Continue if not found - that is a logic trick that we use all the time in Guest redirection, where it is IMPERATIVE that every request passes, because you HAVE to force the user to a portal even if MAC address is unknown.

In your case I don't know if that logic applies, since I think you only want to send an access-accept back to your switch if, and only if, the MAC address is in ISE.  Is that right?

Thanks for your reply , as your mentioned "In your case I don't know if that logic applies, since I think you only want to send an access-accept back to your switch if, and only if, the MAC address is in ISE.  Is that right? "

yes , and do you know where i can configure this MAC can accept in ISE side ?


thx

Here is how you load static MAC addresses into an Identity Group.  Click on each image because of the resolution is reduced in this forum view.

You add the MAC addresses via Context visibility

Static01.png

You can also verify that they are in the Endpoint identity Group that you have chosen.  Please don't use my example of Profiled/Axis-Device.  Choose something meaningful off the root Group, like, MAB-Printers or whatever.

Static02.png

thanks for your reply , my PC MAC existed in Endpoint list :

mac in endpoint list.jpg

and existed in identity group :

mac in identity group.jpg

but testing result is still fail ,

above settings are meaning this MAC already be accept in ISE !? or any other configurations i need to adjust ?

thanks for your reply , but after i imported DlinkWired switch NAD profile , the testing result is still fail and got the same log :

verview

Event5400 Authentication failed
Username54E1AD9478BB
Endpoint Id
Endpoint ProfileWindows10-Workstation
Authentication PolicyDefault >> Default
Authorization PolicyDefault
Authorization Result

Authentication Details

Source Timestamp2018-05-04 02:04:31.124
Received Timestamp2018-05-04 02:04:31.125
Policy Serverise
Event5400 Authentication failed
Failure Reason22040 Wrong password or invalid shared secret
ResolutionCheck the Device shared secret in Administration > Network Resources > Network Devices and user for credentials.
Root causeWrong password or invalid shared secret
Username54E1AD9478BB
User TypeHost
Endpoint ProfileWindows10-Workstation
Authentication Identity StoreInternal Endpoints
Identity GroupProfiled
Authentication MethodPAP_ASCII
Authentication ProtocolPAP_ASCII
Service TypeFramed
Network DeviceDGS1210
Device TypeAll Device Types#Dlink1210
LocationAll Locations
NAS IPv4 Address192.168.1.21
NAS Port TypeVirtual
Response Time18 milliseconds

Other Attributes

ConfigVersionId245
Device Port49154
DestinationPort1812
RadiusPacketTypeAccessRequest
ProtocolRadius
NAS-Port0
NetworkDeviceProfileId580baaf4-4e28-49ca-81fd-63ca390392e9
IsThirdPartyDeviceFlowtrue
AcsSessionIDise/314001139/451
SelectedAuthenticationIdentityStoresInternal Endpoints
IdentityPolicyMatchedRuleDefault
CPMSessionIDc0a80113CHtDpU5IigKqw6bFOQrqHJ5ERXON1ldelSNxpGMZ9rg
ISEPolicySetNameDefault
IdentitySelectionMatchedRuleDefault
DTLSSupportUnknown
HostIdentityGroupEndpoint Identity Groups:Profiled
Model NameDGS1210ME
Software Version7.01.B021
Network Device ProfileDlinkWired_Switch
LocationLocation#All Locations
Device TypeDevice Type#All Device Types#Dlink1210
IPSECIPSEC#Is IPSEC Device#No
RADIUS Username54:E1:AD:94:78:BB
NAS-IdentifierD-LINK
Device IP Address192.168.1.21

Result

RadiusPacketTypeAccessReject
AuthenticationResultFailed
UserName54:E1:AD:94:78:BB

i have some questions want to confirm :

a. i add one more authentication entry like this :

add wiredMAB entry in Auth.jpg

but the hits still display zero , do i need add this policy ?if yes , what is wrong with this setting ?

b. Where i can configure PC MAC can accept in ISE server ?

for example , if i testing this function between switch & ISE server ,  i should configure "54E1AD9478BB Auth-Type := Accept " in user file of freeRadius server , then it can work fine.

thx

It looks to me that the shared secret configured on the network access device is not matching with the NAD configuration on ISE

hslai
Cisco Employee
Cisco Employee

The endpoint ID is empty so it seems the auth request does not have calling-station-id, which is likely why it not matching the Wired MAB condition.

Please try a wired capture to confirm what attributes are sent in the auth requests and then modify the NAD profile and the network access policy set accordingly.

thanks for your reply .Yes, my original auth request does not have calling-station-id , and after i change another switch that has calling-station-id , it's work , so i have some questions like this :

1. When i want to run MAC aurh with ISE , it's only support that Pkts include ""calling-station-id" !?

2. Or it also support without "calling-station-id" ? if yes , what's configurations i should adjust ?

    to modify NAD profile in wired MAB detected? or in wired 802.1x detected? and what's content i need to configure ? 

hslai
Cisco Employee
Cisco Employee

ISE may authenticate without calling-station-id in the requests. However, ISE features, such as CWA or posture, would not work without calling-station-id. ISE session directory is keying off calling-station-ID in most cases.

howon
Cisco Employee
Cisco Employee

Following NAD Profile settings should allow you to match against wired MAB. However, it does not have wired 802.1X, since I am not sure what attributes gets sent from D-Link during 802.1X. Contact me directly at howon@cisco.com and I can assist with creating the NAD profile that works with both MAB and 802.1X.

Screen Shot 2018-05-07 at 10.19.53 AM.png

it can work after follow your setting!! Thanks u very much!!