10-06-2018 07:21 AM - edited 10-06-2018 07:22 AM
Hi I am trying to enable MAB authentication to allow only a specific group of mac address on the network
I am trying to create a group but not sure how, I have tried in the Endpoint Identity Group but it does seem like it works
Attached is the picture of what i am trying to do and that is change group wired_mab is using to authenticate.
How do i add my own group to this list. for example instead of internal endpoint i want the group to be call funky mab
Solved! Go to Solution.
10-06-2018 12:26 PM
I am not entirely sure how you have configured your policy but this is an example of what you could do. Keep in mind that the following will match all wired MAB (and possibly wireless MAB depending on how your Policy set is configured).
1. create an Endpoint Identity Group and place the MAC addresses for the MAB clients in this group
2. Go to Policy Elements > Results and create an authorization result policy for the MAB devices
3. Go to Policy Sets and edit the MAB policy, if one doesn't exist create a MAB policy Condition should be Wired_MAB and Allowed Protocols should be Default Network Access
4. Edit the policy you just created and under Authentication Policy create a new policy where the condition is Wired_MAB and under "use" select Internal Endpoints
5. Under Authorization Policy where the condition matches "Identity Group Name EQUALS Endpoint Identity Groups:<name of identity group that you have created earlier>"
6. Under "Result: Profiles" select the Authorization result policy you created earlier.
7. Save the configuration
10-06-2018 10:42 AM
You would need to create an Identity source sequence and then reference Internal Endpoints.
10-06-2018 10:50 AM
10-06-2018 12:26 PM
I am not entirely sure how you have configured your policy but this is an example of what you could do. Keep in mind that the following will match all wired MAB (and possibly wireless MAB depending on how your Policy set is configured).
1. create an Endpoint Identity Group and place the MAC addresses for the MAB clients in this group
2. Go to Policy Elements > Results and create an authorization result policy for the MAB devices
3. Go to Policy Sets and edit the MAB policy, if one doesn't exist create a MAB policy Condition should be Wired_MAB and Allowed Protocols should be Default Network Access
4. Edit the policy you just created and under Authentication Policy create a new policy where the condition is Wired_MAB and under "use" select Internal Endpoints
5. Under Authorization Policy where the condition matches "Identity Group Name EQUALS Endpoint Identity Groups:<name of identity group that you have created earlier>"
6. Under "Result: Profiles" select the Authorization result policy you created earlier.
7. Save the configuration
07-09-2019 12:58 AM
i have the same original problem.
we have a ISE 2.4 with Patch 8 installed.
For same reason i can't create a Authorization Policy for the group.
If i assign a custom Tag to the endpoint than i can use that tag in the AuthZ Policy. But we would like to avoid that.
I can only setup a policy against the InternalUser store and note the Endpoints.
The Endpoint Dictionary only gives me the custom field and same others but not the Identity Group.
i attached same screenshots that show the steps
07-09-2019 01:16 PM
07-10-2019 01:16 AM
thank you very much.
for same reason i couldn't find it.
It is a new installation and we are in the process of getting ready to migrate from ACS to ISE. We are moving forward to the testing phase.
03-25-2022 07:08 AM
Sorry to bring up an old thread but did you ever find an answer to this quest? I would greatly appreciate a response. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide