Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
839
Views
2
Helpful
10
Replies

ISE Allow MAB for endpoints which had successful Dot1.x authentication

JonatanSitter
Level 1
Level 1

‎12-05-2023 02:11 AM

Hello everybody,

I'm looking into how to allow MAB for endpoints which had successful 802.1x authentication.

Is there a way to update some endpoint attribute based on a successful 802.1x authentication which then gets used whenever the client (for whatever reason) goes through MAB?

On another NAC solution you can set the endpoint to known through after an authentication.

How would I do that in ISE?

Thanks in advance!

BR

Jonatan

10 Replies 10

marce1000
VIP
VIP

‎12-05-2023 02:53 AM


  >...I'm looking into how to allow MAB for endpoints which had successful 802.1x authentication.
             Inconsistent requirement , 802.1x supersedes MAB

 >...s there a way to update some endpoint attribute based on a successful 802.1x authentication which then gets used whenever the client (for whatever reason) goes through MAB?
                 - The client doesn't go to anything  ; what the client does is determined by the NAC (ISE) infrastructure (only)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

JonatanSitter
Level 1
Level 1
In response to marce1000

‎12-05-2023 03:18 AM

Thanks for the helpful response.

I know that 802.1x supersedes MAB. But as you might know, sometimes an endpoint fails to authenticate over 802.1x.
At that point the switch allows for MAB. I want ISE to authenticate/authorize an endpoint over MAB only if there has been a successful 802.1x authentication for example the day before.

We should be able to set endpoint attributes in the authorization process. Not only send radius attributes to the switch but also add custom attributes to the endpoint database.

0 Helpful

MHM Cisco World
VIP
VIP
In response to JonatanSitter

‎12-05-2023 03:24 AM

First config ISE as MAB and as 802.1x

Then config your SW with 

802.1x flexible auth 

Where order and priority make big rule in make end point auth both or one of mab/802.1x

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee

‎12-05-2023 06:56 AM

If 802.1x fails for whatever reason, do you really want to allow access?  What if the device is stolen?  The thief now has access to your network.  Just because another solution allows an insecure workaround it should not be the norm.  

JonatanSitter
Level 1
Level 1
In response to Charlie Moreton

‎12-05-2023 07:04 AM

What about PXE boot for example? In that case the PC/Laptop does not respond to 802.1x and needs to fall back to MAB. I want to only allow that if it has previously authenticated successfully and not just for any pxe device.

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee
In response to JonatanSitter

‎12-05-2023 07:09 AM

Move the endpoint MAC address to a PXE Endpoint Identity Group and reference that in your Authorization Policy

0 Helpful

JonatanSitter
Level 1
Level 1
In response to Charlie Moreton

‎12-05-2023 07:12 AM

Can that be done automatically?
i.e. if authenticated successfully -> endpoint gets assigned a certain endpoint identity group which later can be referenced in MAB authz policy.

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee

‎12-05-2023 07:20 AM

It can be, it depends on how you have your profiling and/or EIGs set up as to how you would determine which EIG the endpoints are assigned

0 Helpful

JonatanSitter
Level 1
Level 1
In response to Charlie Moreton

‎12-06-2023 04:13 AM

Could you maybe give me some hints, what to look for?

0 Helpful
Customers Also Viewed These Support Documents