Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
935
Views
0
Helpful
1
Replies

ISE 2.2.0 issue with deleting MAC addresses from identity store

Glenn R
Level 1
Level 1

‎01-12-2018 02:04 AM - edited ‎02-21-2020 10:43 AM

Hi,

 

There are actually two questions here that I need responding to but the primary one is around the deletion of a MAC address entry in a identify store.

 

I have ISE 2.2.0.470 instilled and for wired connections we use dot1x for pc authentication and then as expected MAB for none domain devices. The original issues to get Cisco phones authenticated onto the network without having to use MAC addresses in MAB which normally works. One of our sites is setup a bit different and do not have a separate data and voice VLAN but instead just use the one VLAN for both. At this site we do not connect PCs into phones and all the PC devices are been authenticated correctly with dot1x but all the phones are failing authentication.

 

 

To troubleshoot I have added one of the phones MAC addresses to the site --> printer group identity which is now authenticating and allowed on the network. I would have expected that the phones would have been identified using CDP or radius VSA and then authenticate using the device type. This is not the case.

 

What I have then tried is to remove the MAC address from the group so that Auth fails and I can test some more but it is not been removed. The device is still authenticating via MAB. I have checked the purge properties and there is a default job that takes place every evening at 3:00.

 

Any help here would be appreciated.  

Labels:
0 Helpful
1 Reply 1

Octavian Szolga
Level 4
Level 4

‎01-12-2018 04:14 AM - edited ‎01-12-2018 04:16 AM

Hi,

 

If the phone is correctly identified and you are using the same authorization rule for profiled IP phones, the setup would not work because ISE is returning voice domain permissions (essentially it tells the switch to apply whatever voice vlan is configured at the port level).

 

If the switchport does not have a voice vlan configured, it will not get applied and authorization will fail, even though ISE will show a green/authenticated session.

It doesn't matter if you have or not the vlan configured on the switch. It's not configured at port level.

 

Regarding your second issue, normally when you remove a MAC address from an endpoint identity group, ISE sends a CoA message to the switch, telling him to reuauthenticate the device. Maybe CoA support is not configured on the switch or on ISE for the specific NAD.

 

Regards,

Octavian

0 Helpful
Customers Also Viewed These Support Documents