cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1632
Views
0
Helpful
7
Replies

ISE v1.4. MAB question

Boris Uskov
Level 4
Level 4

Hello to everyone.

I'm absolutely new with ISE and need some help. I'm stuck with configuring Mac Authentication Bypass in my lab environment. So, here is my problem.

I have a laptop, which is connected to a switch port. On the switch port I have configuration for MAB.

When the port is up for the first time, the MAB authentication is unsuccessful, because I don't have any Identities configured in my ISE server (Administration -> Identities -> Endpoints is empty). And this is an expected behaviour.

But, after that unsuccessful authentication I can see, that the Identity for my laptop appears AUTOMATICALY in the section Administration -> Identities -> Endpoints. So, when I do shut/no-shut on the switchport the second time, the MAB authentication passes SUCCESSFULLY. I want to avoid such behaviour. So the question is, why after unsuccessful authentication my laptop appears in the section of Endpoint Identitites?

Please, see some attachments.

I appreciate any help, thanks.

1 Accepted Solution

Accepted Solutions

jan.nielsen
Level 7
Level 7

Don't be confused that it is authenticating, it is supposed to. All endpoints that attempt to authenticate, will have their mac address created in the internal endpoints db. You should however not be granted access, unless you have an authorization policy that is not created specifically enough. Usually if you wan't to actually use mab for something, you will create a endpoint group like "printers", and then have an authorization rule that matches on the Wired_MAB compound condition, and identity group "printers", and if your bottom rule is DenyAccess, only mac adresses in  "printers" will be allowed access.

 

 

 

 

View solution in original post

7 Replies 7

jan.nielsen
Level 7
Level 7

Don't be confused that it is authenticating, it is supposed to. All endpoints that attempt to authenticate, will have their mac address created in the internal endpoints db. You should however not be granted access, unless you have an authorization policy that is not created specifically enough. Usually if you wan't to actually use mab for something, you will create a endpoint group like "printers", and then have an authorization rule that matches on the Wired_MAB compound condition, and identity group "printers", and if your bottom rule is DenyAccess, only mac adresses in  "printers" will be allowed access.

 

 

 

 

Hello, Jan.

Thanks for your explanation, now it is clear for me!

I only want to add, that in my default MAB Authentication policy I had an action "Continue" for the condition "If user not found in Internal Endpoints db" (attach). I tried to change the action to "Reject". After that Authentification is always unsuccessful (as expected), and laptop's mac-address is not automaically placed into Internal Endpoints db. If I understood correct, if the action is set to "Reject", the proccess stops at that point and Authorization policies are not even taking place.

So, thank you!

Boris, I got the exact same issue as yours, except that we are using MAB for wireless clients and we are on version 1.3.

 

The action for "if user not found" is already "Reject", but the wireless client's mac address is still automatically placed into Internal Endpoint db. We are still struggling with this issue.

But the problem is not authentication, it's authorization. If your endpoints are getting access, they must match an authorization rule, so the thing you need to figure out is which rule it is matching, and why are you allowing these mac addresses in your authorization rules?

Yes we figured out a way to prevent the unwanted mac address from passing the authorization rule.

But what is the point of letting such unwanted mac address to pass the authentication rule in the first place? Why don't we just stop it in the authentication phase?

The main reason is that at authentication, you don't know if that mac address should be allowed or not, it could be a member of a specific endpoint group that needs access, so instead of having to create a rule in authentication policy for each group of mac addresses you wan't to give access, this is done in authorization, makes it much simpler, as you only need to create authz rules when doing something new.

You are correct, if you choose reject, it won't proceed to going through the authorization rules, and just reject the endpoint during the authentication phase. Be aware that your mab authentication rule will have to be set to continue for unknown user, if you at some point need to use guest access via CWA with ise.