Solved: Re: dumb ISE question

gnijs · ‎03-05-2012

When i enable profiling on the ISE, it automatically addeds "profiled" devices to the MAB database, like HP workstations or Cisco IP phones,

so that they can logon via MAB automatically. How can i prevent this ?

Geert

koeppend · ‎03-05-2012

Your other option is to set your profiled devices to automatically create their own profiled groups.

That way they will not fall into the MAB group and won't be effected by the MAB authentication rule.

If you not sure where to do that let me know, can give you the menu path.

Sent from Cisco Technical Support iPad App

View solution in original post

Eduardo Aliaga · ‎03-05-2012

Hi. You should set the authentication rule called "MAB" to disable or just delete it.

Please rate if it helps. Kind regards

koeppend · ‎03-05-2012

Your other option is to set your profiled devices to automatically create their own profiled groups.

That way they will not fall into the MAB group and won't be effected by the MAB authentication rule.

If you not sure where to do that let me know, can give you the menu path.

Sent from Cisco Technical Support iPad App

jjlethiers · ‎03-08-2012

Hi,

I am interested in the menu path to achieve this goal. Could you please tell me how to do that ?

Moreover, is there a way to tell the MAB authentication rule to parse only a specific endpoint group and not the whole "Internal Endpoints" store ?

Kind Regards,

Jean-Jacques

gnijs · ‎03-08-2012

1) Go to Policy->Profiling->Policies. Pick a group and change "Use Hierarchy" to "Create Matching Identity Group".

This way for each category, an specific group will be created. You can then assign a policy to the identity group and not use the default top-level hierachy policy.

2) Regarding your second question, i have been struggling at the same point. After some search, i realized that the Authentication page is only for which protocol you want to allow (ie MAB). What needs to happen with MAB, you need to define in the Authorization page.

There you can make a policy for example "if part of CISCO_PHONES" and "WIRED_MAB" then apply "VOICE policy" for example...don't know if this all true, but it seems to work..

koeppend · ‎03-11-2012

Jean

What Gnijs said is the correct menu path.

Once you set a particular device group to create its own device group, you can then reference those devices from within the authorisation rules.

Here is an example of what I did for one customer, I specifically set my profiling service to group ipads, iphones, blueberries, HTC and android into their own groups as these were the only devices the client wanted to support. Based on the device types and if their user credentials were in a certain AD domain group they were allowed to connect to the BYO SSID and have limited access to the network, you will notice that some of my other rules reference Windows workstations:

koeppend · ‎03-11-2012

To get around your problem with Users devices being authenticated via MAB and then being bypassed on the rest of the rules, you can either disable the MAB rule if your not using MAB, but with customers with 1000's of IP desk phones, you need MAB.

So limit the protocols in MAB authentication rule and make sure that the rule only references internal devices, wo when devices are trying to authenticate via a different Auth type, they dont match the mab rule.

Example: