cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3930
Views
5
Helpful
7
Replies

MAB authentication

anson-bates
Level 1
Level 1

Hi I am trying to enable MAB authentication to allow only a specific group of mac address on the network

 

I am trying to create a group but not sure how, I have tried in the Endpoint Identity Group but it does seem like it works

 

Attached is the picture of what i am trying to do and that is change group wired_mab is using to authenticate. 

How do i add my own group to this list. for example instead of internal endpoint i want the group to be call funky mab

 

 

1 Accepted Solution

Accepted Solutions

I am not entirely sure how you have configured your policy but this is an example of what you could do.  Keep in mind that the following will match all wired MAB (and possibly wireless MAB depending on how your Policy set is configured).

 

1. create an Endpoint Identity Group and place the MAC addresses for the MAB clients in this group

2. Go to Policy Elements > Results and create an authorization result policy for the MAB devices

3. Go to Policy Sets and edit the MAB policy, if one doesn't exist create a MAB policy Condition should be Wired_MAB and Allowed Protocols should be Default Network Access

4. Edit the policy you just created and under Authentication Policy create a new policy where the condition is Wired_MAB and under "use" select Internal Endpoints

5. Under Authorization Policy where the condition matches "Identity Group Name EQUALS Endpoint Identity Groups:<name of identity group that you have created earlier>"

6. Under "Result: Profiles" select the Authorization result policy you created earlier.

7. Save the configuration

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

7 Replies 7

You would need to create an Identity source sequence and then reference Internal Endpoints.

--
Please remember to select a correct answer and rate helpful posts

The issue I am running into is that ISE is dynamically adding MAC address once plugged into a switch port. How do I turn this off

I am not entirely sure how you have configured your policy but this is an example of what you could do.  Keep in mind that the following will match all wired MAB (and possibly wireless MAB depending on how your Policy set is configured).

 

1. create an Endpoint Identity Group and place the MAC addresses for the MAB clients in this group

2. Go to Policy Elements > Results and create an authorization result policy for the MAB devices

3. Go to Policy Sets and edit the MAB policy, if one doesn't exist create a MAB policy Condition should be Wired_MAB and Allowed Protocols should be Default Network Access

4. Edit the policy you just created and under Authentication Policy create a new policy where the condition is Wired_MAB and under "use" select Internal Endpoints

5. Under Authorization Policy where the condition matches "Identity Group Name EQUALS Endpoint Identity Groups:<name of identity group that you have created earlier>"

6. Under "Result: Profiles" select the Authorization result policy you created earlier.

7. Save the configuration

--
Please remember to select a correct answer and rate helpful posts

i have the same original problem.

we have a ISE 2.4 with Patch 8 installed.

For same reason i can't create a Authorization Policy for the group.

If i assign a custom Tag to the endpoint than i can use that tag in the AuthZ Policy. But we would like to avoid that.

I can only setup a policy against the InternalUser store and note the Endpoints.

The Endpoint Dictionary only gives me the custom field and same others but not the Identity Group.

i attached same screenshots that show the steps

Is this something worked before for you? There are examples of working authorization rules here for endpoint groups

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475#toc-hId--916002297

thank you very much.

for same reason i couldn't find it.

It is a new installation and we are in the process of getting ready to migrate from ACS to ISE. We are moving forward to the testing phase.

Sorry to bring up an old thread but did you ever find an answer to this quest? I would greatly appreciate a response. Thanks!