cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

531
Views
50
Helpful
6
Replies
Robert Molina
Beginner

ISE 3.0 and MAB Configuration

I am new to this and starting into configuring our ISE servers with policies for allowing endpoints to authenticate using 802.1X. I am taking a phased approach to this so I don't accidently shut down the whole network. After much research, I started with a policy set that allows network access using Wired MAB. In order to monitor, I first configured the switch with:

aaa authentication dot1x default group Groupname

aaa authentication dot1x start-stop group Groupname

For the interfaces that I am testing on I configured it with:

authentication port-control auto

authentication host-mode multi-auth

authentication open

authentication periodic

mab

dot1x pae authenticator

dot1x timeout supp-timeout 30

dot1max-req 2

 

The associated endpoints all authenticated without issues using this format. Unfortunately this doesn't work when the endpoint is a printer. I added the command authentication control-direction in.

The printer would still not pass authentication and access to printer is lost. I don't have a specific policy set for the printers and I don't know how to write one up.

 

Can anyone assist me? Thank you for your support

6 REPLIES 6
Marcelo Morais
Advocate

Hi @Robert Molina ,

 a simple example:

 At Work Centers > Profiler > Profiling Policies > Logical Profiles

 1. create a Printer-Profiler and at Assigned Policies select your Printer model.

 Note: if you don't find your Printer model, then create one at Profiling Policies.

 At Policy > Policy Sets

 1.

  Policy Set Name: Wired-MAB

  Condition: Wired-MAB

  Note: you are able to find the Wired-MAB condition at Policy > Policy Elements > Conditions > Library Conditions.

 2. Authentication Policy

  Rule Name: MAB

  Condition: Wired-MAB

  Use: Internal Endpoints

 3. Authorization Policy

  Rule Name: Printer-MAB

  Condition: Endpoint.LogicalProfile EQUALS Printer-Profiler

 

Hope this helps !!!

Hi,

Just one thing on top of what @Marcelo Morais said. In the authentication
policy, modify the settings if authentication failed to continue instead of
reject. This is needed for mab.

Also, before creating profiling policy, check in context visibility
》endpoints. It might be already profiled as ISE has a lot of pre-built
profiling policies.

Regards, Mohammed Al Baqari

@Mohammed al Baqari 

 

Thanks for reminding me. There are a lot of prebuilt profiling policies, but one of our printers is not listed, so I ended up building one for that specific printer. I will also remember to do the authentication to continue.

@Marcelo Morais

 

Thank you for your response. I attempted to follow you instructions, but I am having difficulty with step 3.

 3. Authorization Policy

  Rule Name: Printer-MAB

  Condition: Endpoint.LogicalProfile EQUALS Printer-Profiler

I went to Authorization Policy, gave it the rule name, but when I tried to implement the Condition, I couldn't find it or was I supposed to add it as I was building the policy but I can't find the logical profile condition. I already made a logical profile for our printers and it recognizes the printers that we have on the network. Can you provide a little more detail? I'll keep working on it while I wait for your answer.

I finally found the Endpoing.LogicalProfile. I created a rule for the printer and hope it works. I will give a shot a today.

Thank you for your assistance.

I tried to make it work, but as soon as I implemented the Monitor ACL on the switch, I couldn't ping its IP and of course couldn't print.

I just have to wait until it shows up again. Of course, this particular printer is one that is not on the pre-built by Cisco. So I am going to have to change it back to using port-security.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel