Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1764
Views
25
Helpful
6
Replies

ISE 3.0 and WLC 5508 MAB Authentication Issue

Go to solution
cmenuey
Level 1
Level 1

‎04-14-2022 09:57 AM

Hi all,

 

I've setup a demo of ISE 3.0  to start setting up different security scenarios. I'm stuck on an issue where I have two different clients appearing in ISE as endpoints. I've added both of them to the same Endpoint Identity Group, "MAC-Address"

 

They should both get the same policy, however only one of the two devices is able to connect to the wireless SSID configured to allow MAC Filtering. Not sure what to check, I've setup 802.1x and that worked flawlessly.

 

Thanks in advance,

 

Chris

Preview file
39 KB
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to cmenuey

‎04-16-2022 01:42 AM

Ok your NAS is sending the request to ISE and there is still an issue with your endpoint lookup during authorization. 
Have a look at the exact endpoint identity group name under ISE Context Visibility. That is the group name you must match on to have success. 

View solution in original post

6 Replies 6

Go to solution
Arne Bier
VIP
VIP

‎04-15-2022 03:04 PM

Hi @cmenuey 

 

On the WLC, what kind of SSID is this? Open or PSK? 

Do you not even see the MAB request come into ISE in the Live Logs? if that is the case, then there is an issue with the WLAN SSID configuration and it's preventing the wireless layer connectivity, even before MAB is involved.

If you do in fact see the MAB request in ISE, then check why it's failing. I would perform a tcpdump on ISE to see what attributes the WLC is sending.

Your ISE Policy Set looks correct, assuming of course the Endpoint Identity Group that you have named is EXACTLY that one - the name says :"Profiled MAC Address". Why profiled? I would rule out any issues by creating a new Identity Group that is not related to Profiling and then use that instead.

0 Helpful

Go to solution
cmenuey
Level 1
Level 1
In response to Arne Bier

‎04-15-2022 04:00 PM

Hi Arne,

 

I have the SSID set as open with MAC Filtering. I do see the denial event in the logs, it appears as "15039 Rejected per authorization profile" and has the denial Auth policy rule I have setup listed as being hit. I feel as though the allow policy is getting missed entirely.

 

The Endpoint Identity Group had that parent group name included, I had it nested. I created it as it's own group as Mac-Test then added my two test clients to that group. I updated the auth rule in the policy set to be MAC-Test, still only one client can connect. I even went so far as to remove the group requirement from the allow rule, and simply allow wired/wireless MAB. Here are the steps from the Auth Summary Report if it helps:

 

Steps

 11001Received RADIUS Access-Request
 11017RADIUS created a new session
 11027Detected Host Lookup UseCase (Service-Type = Call Check (10))
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15041Evaluating Identity Policy
 15048Queried PIP
 15013Selected Identity Source - Internal Endpoints
 24209Looking up Endpoint in Internal Endpoints IDStore - F0:79:59:74:9A:9E
 24211Found Endpoint in Internal Endpoints IDStore
 22037Authentication Passed
 24715ISE has not confirmed locally previous successful machine authentication for user in Active Directory
 15036Evaluating Authorization Policy
 15016Selected Authorization Profile - DenyAccess
 15039Rejected per authorization profile
 11003Returned RADIUS Access-Reject
 5434Endpoint conducted several failed authentications of the same scenario

Go to solution
Arne Bier
VIP
VIP
In response to cmenuey

‎04-16-2022 01:42 AM

Ok your NAS is sending the request to ISE and there is still an issue with your endpoint lookup during authorization. 
Have a look at the exact endpoint identity group name under ISE Context Visibility. That is the group name you must match on to have success. 

Go to solution
cmenuey
Level 1
Level 1
In response to Arne Bier

‎04-19-2022 08:26 AM

Hi Arne,

 

The issue did end up being the group. What was odd is that the group membership was correct, then when I went to another page in the UI and back to add another member, the original was gone. I refreshed the page to make sure they stuck, as the Save button on the page is always grayed out on my screen. The context visibility note helped, as well as another post I found about Release Rejected. I didn't know about this, the reason I couldn't get the auth to work directly after my failures during testing.

 

Thank you for your help!

 

Chris

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎04-15-2022 03:15 PM

If your endpoints are doing 802.1X instead of MAB as you expected when they join an SSID for MAB then this is an SSID+WLAN security configuration issue on your WLC.  You generally have separate SSIDs for 802.1X vs MAB services otherwise 802.1X should take precedence because it is a much stronger form of authentication.

Go to solution
cmenuey
Level 1
Level 1
In response to thomas

‎04-19-2022 08:27 AM

All is well thank you for responding, I didn't know there was a precedence to auth, that's good to know

0 Helpful
Customers Also Viewed These Support Documents