Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9231
Views
50
Helpful
10
Replies

ISE 3.0 and MAB Configuration

Robert Molina
Level 1
Level 1

‎10-01-2021 01:35 PM

I am new to this and starting into configuring our ISE servers with policies for allowing endpoints to authenticate using 802.1X. I am taking a phased approach to this so I don't accidently shut down the whole network. After much research, I started with a policy set that allows network access using Wired MAB. In order to monitor, I first configured the switch with:

aaa authentication dot1x default group Groupname

aaa authentication dot1x start-stop group Groupname

For the interfaces that I am testing on I configured it with:

authentication port-control auto

authentication host-mode multi-auth

authentication open

authentication periodic

mab

dot1x pae authenticator

dot1x timeout supp-timeout 30

dot1max-req 2

 

The associated endpoints all authenticated without issues using this format. Unfortunately this doesn't work when the endpoint is a printer. I added the command authentication control-direction in.

The printer would still not pass authentication and access to printer is lost. I don't have a specific policy set for the printers and I don't know how to write one up.

 

Can anyone assist me? Thank you for your support

1 person had this problem
10 Replies 10

Marcelo Morais
VIP
VIP

‎10-01-2021 11:02 PM

Hi @Robert Molina ,

 a simple example:

 At Work Centers > Profiler > Profiling Policies > Logical Profiles

 1. create a Printer-Profiler and at Assigned Policies select your Printer model.

 Note: if you don't find your Printer model, then create one at Profiling Policies.

 At Policy > Policy Sets

 1.

  Policy Set Name: Wired-MAB

  Condition: Wired-MAB

  Note: you are able to find the Wired-MAB condition at Policy > Policy Elements > Conditions > Library Conditions.

 2. Authentication Policy

  Rule Name: MAB

  Condition: Wired-MAB

  Use: Internal Endpoints

 3. Authorization Policy

  Rule Name: Printer-MAB

  Condition: Endpoint.LogicalProfile EQUALS Printer-Profiler

 

Hope this helps !!!

Mohammed al Baqari
Level 11
Level 11
In response to Marcelo Morais

‎10-01-2021 11:18 PM

Hi,

Just one thing on top of what @Marcelo Morais said. In the authentication
policy, modify the settings if authentication failed to continue instead of
reject. This is needed for mab.

Also, before creating profiling policy, check in context visibility
》endpoints. It might be already profiled as ISE has a lot of pre-built
profiling policies.

Regards, Mohammed Al Baqari

Robert Molina
Level 1
Level 1
In response to Mohammed al Baqari

‎10-04-2021 11:00 AM

@Mohammed al Baqari 

 

Thanks for reminding me. There are a lot of prebuilt profiling policies, but one of our printers is not listed, so I ended up building one for that specific printer. I will also remember to do the authentication to continue.

Robert Molina
Level 1
Level 1
In response to Marcelo Morais

‎10-04-2021 10:58 AM

@Marcelo Morais

 

Thank you for your response. I attempted to follow you instructions, but I am having difficulty with step 3.

 3. Authorization Policy

  Rule Name: Printer-MAB

  Condition: Endpoint.LogicalProfile EQUALS Printer-Profiler

I went to Authorization Policy, gave it the rule name, but when I tried to implement the Condition, I couldn't find it or was I supposed to add it as I was building the policy but I can't find the logical profile condition. I already made a logical profile for our printers and it recognizes the printers that we have on the network. Can you provide a little more detail? I'll keep working on it while I wait for your answer.

Robert Molina
Level 1
Level 1
In response to Marcelo Morais

‎10-04-2021 12:43 PM

I finally found the Endpoing.LogicalProfile. I created a rule for the printer and hope it works. I will give a shot a today.

Thank you for your assistance.

Robert Molina
Level 1
Level 1
In response to Robert Molina

‎10-04-2021 01:01 PM

I tried to make it work, but as soon as I implemented the Monitor ACL on the switch, I couldn't ping its IP and of course couldn't print.

I just have to wait until it shows up again. Of course, this particular printer is one that is not on the pre-built by Cisco. So I am going to have to change it back to using port-security.

hslai
Cisco Employee
Cisco Employee
In response to Robert Molina

‎10-06-2022 04:52 PM

@Robert Molina What advised so far have been on how to classify/profiling your printer device. As to the switch configuration and ISE authorization policy rule and profile, please check ISE Secure Wired Access Prescriptive Deployment Guide or watch one of our videos at http://cs.co/ise-videos.

0 Helpful

tonyang
Level 1
Level 1
In response to Marcelo Morais

‎10-04-2022 02:56 AM

Hi Marcelo Morais,

Does Cisco ISE need to have advantage license if I'd like to use profiler service ? 

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to tonyang

‎10-06-2022 04:49 PM

ISE profiling services do consume advantage license. Please check ISE Ordering Guide 

You may try it by using the 90-day eval for 100-endpoints that comes with a fresh ISE install or factory reset.

0 Helpful

tonyang
Level 1
Level 1
In response to hslai

‎10-08-2022 07:10 AM - edited ‎10-08-2022 07:12 AM

Thank you, hslai.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents