Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2149
Views
0
Helpful
3
Replies

MAB and Active directory check

nicanor00
Level 1
Level 1

‎09-29-2014 05:44 AM - edited ‎03-10-2019 10:04 PM

Hi

I have ISE 1.2

I would like to know if it is possible to configure AD check for MAB user

I have some user that are authenticated by MAB

But I need to add another check for those user, ISE should check the Active directory group user widows session

 

Is it possible to do it ?

How can I configure it for wired and wireless user ?

 

 

Thanks in advance

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎09-30-2014 12:24 AM

Yes, you can definitely do this. I have done this in my previous deployments for "Whitelisting" users. My policy was like this:

1. I created an Identity Group called "Whitelist"

2. Statically added all of the needed mac address to that group

3. For wireless, I created a dedicated "Policy Set" for that SSID. In the policy set I created a rule that:

- Checked for domain group membership (For instance, domain users or domain computers)

- Checked if the "Internal Identity Store" was "Whitelist"

4. For wired, I also have a dedicated "Policy Set" and you can basically duplicate the rule from wireless. 

I hope this helps!

 

Thank you for rating helpful posts!

0 Helpful

Randall Nieland
Level 1
Level 1
In response to nspasov

‎07-08-2016 08:29 AM

Neno,

I realize this is an old post, but this aligns with exactly what we are trying to do in the short-term with ISE. MAB corporate laptops at the device level, then authenticate the logged on user via AD credentials when they transition from wired to wireless. Note, there is no wired 802.1X for now (future plans). We have greenfield wireless and a bunch of new laptops to roll out and I want to dip the toe into ISE rather than an SSID with PSK and MAC filtering sort of thing, then we can tweak from there as we get PKI implemented.

So, your steps make sense logically, but I'm actually having a tough time getting it to work as desired. To start with, should the wireless SSID be open or secured? If secured, how so? MAB explicitly on the WLC?

I have an endpoint identity group with laptop wireless MAC addresses and I can get that to work with typical MAB config, and I have user auth to AD working in a lab setting with a PSK-secured SSID... I just can't get MAB and AD Auth policy set steps working together, so I'm hoping you can shed some light with a bit more detail to get me over the last hurdle.

Note, this is on ISE 2.1, in case that matters. WLC is a 3850 switch or I could use a virtual WLC for setup and testing if needed. Access points are 3702i/e.

Thanks!

Randy

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Randall Nieland

‎07-22-2016 09:22 AM

Hi Randy. Apologies for the delayed reply here but I have out for Cisco live and then some other business related travel. My answers below:

1) The SSID should be configured with WPA2+AES+802.1x. No Layer 3 security policy and no mac filtering. You need to have the SSID pointed to ISE for the AAA servers

2) The Authentication step will be based on AD group membership. While the Authorization step can be configured to check and ensure that the device's mac address is also located in the ISE local database as well as that it is part of a specific AD group

Give that a try and let me know how it goes. 

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents