ISE 2.2 with ONLY MAB Standalone

cyanesh · ‎07-06-2017

Hello,

I have ISE 2.2 setup. I am deploying MAB standalone. I need to do SIMPLE MAC Authentication. I want the switch to pass the MAC, ISE to pass back a yes or no so the switch can lock the port down or not. Thats it. I can't do device profilling, as nice as it sounds in theory. We have too many current devices that tie our hands for the moment and switchport-port security is unmanageable outside a few switches. So, can ISE do simple MAC auth. I have read deployment guides and user posts. I don't mind ISE getting the MAC's, and even storing them. But I can't seem to make a policy that uses an endpoint identity group, the option just isn't there. That way I can only match a rule on a specific group I have added MAC's to. Problem is, ISE adds MACs automatically to the internal endpoint group, so MAC's end up getting authenticated anyway. I have policy sets enabled. If anyone has some insight I would appreciate it, as ISE is starting to give me grey hair.

Chris

Marvin Rhoads · ‎07-06-2017

I have done a customer deployment using only MAB for authentication. We don't find it in the deployment guide much because it's not generally recommended. (Yes the customer was fully apprised of the drawbacks and yet still chose to do so - long story.)

We imported csv file with a set of custom endpoint groups (EPGs) defined. We then match on those EPGs in our AuthC and AuthZ policies to authenticate and then apply an authorization policy (it was Trustsec SGTs in this case).

cyanesh · ‎07-07-2017

Marvin,

Thanks for the response. I am aware that MAB standalone is not recommended. But, we have to walk before we dive off the deep end in our case here. I have created an Endpoint Protection Group. That is pretty easy, then statically assigning a MAC to that group...no problem. Problem with ISE 2.2 is I can't seem to create a MAB_wired rule that will filter based on an Endpoint Protection Group. That option just isn't there.

Marvin Rhoads · ‎07-07-2017

My lab ISE is 2.1 but it should work the same on 2.2.

I created an EPG and then referenced in in an AuthZ rule. If the device is found in the EPG the allow access. Else deny access.

See below (open picture in new window to zoom):

cyanesh · ‎07-07-2017

Marvin,

Thanks for the info, very nice. I configured the rule like you suggested, but an unknown MAC still has access. I can see the switch go through a couple of stages of learning(amber, off, amber, off), then go green. And it does have network connectivity(at least ping). If I understand the logic right, the rule is basically authenticating the MAC as long as it is in a known location. Which is ok. Then, it is only authorizing it based on the endpoint protection group. Wouldn't it be better for MAB standalone to just not authenticate the device and pass that back to the switch? The switch would then in turn just shutdown traffic or that port. I am pretty sure I have the rule correct. Is there another configuration setting that may need to be made, outside of standard MAB and ISE?

Marvin Rhoads · ‎07-08-2017

What's your switchport configuration right now?

If you're in ISE "monitor mode" an unauthorized endpoint will be allowed full connectivity.

"closed mode" will have a default ACL that prohibits any communications for unauthorized endpoints.

cyanesh · ‎07-10-2017

Based off what I have read, as far as ISE is concerned we would definitely be in monitor mode. But, I think we keep skirting what I want to do, currently. I could have done it far easier and simpler with PFsense and Freeradius. When a MAC presents it's self for authentication to ISE, if it's not been added to a endpoint group, I want ISE to pass back unauthenticated. Thats it. The switch will do the rest when it gets unauthenticated as the response. It seems ISE, is giving back authenticated no matter what. Even if the MAC hasn't been entered, it does it for you. All I want ISE to do, for the moment, is pass back unauthenticated. I don't want ISE doing authorized access yet. When we move to 802.1x, we'll look at improving the security presence there. So, I guess the question is...how can I get ISE to return unauthenticated for a MAC that hasn't been statically input or assigned the correct group.

cyanesh · ‎07-11-2017

Marvin,

From what I have read about per port ACL, is it only allows one per port. Unfortunately, with our numerous little switches, we have many ports that have multiple MACs. If I could just create a rule that wouldn't authenticate a MAC unless it had been statically assigned an endpoint protection group that would be great. I have been looking at the rule you proved, and some other examples. I plan to test this, although I think my results will be the same. What do you think the rule below would accomplish?