03-11-2020 01:17 AM
I am trying to build a policy to authenticate both Machine's MAC + The user should be a member of a special group in AD . I AM NOT USING 802.1X in my setup . My NAD is an ASA .
the user authentication is already done , I just want to know how to also add ( AND ) certain MAC address to the policy that are already added manually on ISE .
kindly advise .
03-11-2020 06:48 AM
Assuming that your MAC addresses are all placed into an endpoint identity group in ISE, you should be able to check that the endpoint is a member of that group in your authorization policy. If you tried that and it isn't matching your rule, then open up the details of the authentication event in Radius Live Logs and scroll down on the left side to verify what attributes are available to use as a condition in your rule. Make sure the endpoint identity group is showing up properly there. If not, then make sure the "calling-station-id" is actually the MAC address of your client. It would also help if you post a screenshot of the rule you are trying to use.
03-11-2020 07:02 AM
03-11-2020 07:11 AM
Have you tried to use "IdentityGroup-Name EQUALS Endpoint Identity Group:<your group name>"?
03-11-2020 07:20 AM
03-11-2020 11:41 AM
Here is the procedure to check if MAC address is added to a whitelist group called "IOT devices".
1. Add the MAC address to the Endpoint ID groups (Workcenter > Network Access > ID Groups)
e.g: IOT devices
2. Add the Endpoint ID group to the authorization policy ( Workcenter > NEtwork access > Policy sets > Authorization policy) and add a condition, select 'Identity Groups -> Name' as attribute and value is "Endpoint ID Groups: IOT devices"
Further you can combine the condition with AD groups to check the user.
You need to create a tunnel group in ASA for authorization only. Make sure the VPN devices provides user information to ISE for it to verify.
On a different note, If you have Anyconnect you can use ACIDEX extension to check attributes sent to ISE.
03-12-2020 01:07 AM
03-11-2020 10:17 AM
If you want to add the MAC address as additional condition in ISE, in your authorization policy, look for "RADIUS:Calling-Station-ID) attribute and put the value of your MAC address in the form of AA:AA:AA:AA:AA:AA. This is for one MAC address, so i guess you don't want to do one rule per MAC address.
To match on multiple MAC addresses, in your authorization policy, look for "RADIUS:Called-Station-ID) attribute and select your Endpoint Group.
03-11-2020 11:48 PM
03-12-2020 01:45 AM
If the endpoint is authenticated by ISE, there is a RADIUS session, but not between ISE and endpoint, but between ISE and NAD. So the endpoint passes authentication through ISE, thus you're configuring the authorization policy next, in order to match on the MAC address as a condition as well.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: