Hi @Jing Hong Li - which Craig Hyps reference are you referring to?  There was a similar posting on this Community Forum this week where someone asked how to do 802.1X but in combination with a MAC address lookup in an Endpoint Identity Group.  

Have a read here.

I reference below link:

https://community.cisco.com/t5/identity-services-engine-ise/802-1x-and-mac-address-authentication-simultaneously/m-p/3557008/highlight/false#

Craig Hyps wrote 

... you can also validate the Calling-Station-Id (MAC address of LAN user) to an allowed list such as Endpoint Identity Group with specific permissions.

---

This is how it is done. The Calling-Station-Id (MAC address) is assigned to an endpoint ID group and we use this endpoint ID group name in the authorization policy condition.

Great!

Thanks hslai，and I will have a test!

Hi @Jing Hong Li / @hslai

I was unable to find a way to search the Calling-Station-Id in an Endpoint Identity Group DURING an 802.1X authentication.  In the radius packets there is always the Calling-Station-ID - BUT - because this is an 802.1X authentication, the User-Name field is used in all of the lookups.

The solution (as far as I can see) is to perform a MAB auth, and then an 802.1X auth.  The Cisco WLC supports that.  If the MAB auth fails, then the WLC won't even attempt the 802.1X auth.  This means less work for ISE.

The link I sent in a previous comment shows how this is done.

Hi Arne Bier,

no need to search Calling-Station-Id, just compare Identity Group name, it works fine.