Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3931
Views
5
Helpful
7
Replies

MAB authentication

Go to solution
anson-bates
Level 1
Level 1

‎10-06-2018 07:21 AM - edited ‎10-06-2018 07:22 AM

Hi I am trying to enable MAB authentication to allow only a specific group of mac address on the network

 

I am trying to create a group but not sure how, I have tried in the Endpoint Identity Group but it does seem like it works

 

Attached is the picture of what i am trying to do and that is change group wired_mab is using to authenticate. 

How do i add my own group to this list. for example instead of internal endpoint i want the group to be call funky mab

 

 

Preview file
18 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to anson-bates

‎10-06-2018 12:26 PM

I am not entirely sure how you have configured your policy but this is an example of what you could do.  Keep in mind that the following will match all wired MAB (and possibly wireless MAB depending on how your Policy set is configured).

 

1. create an Endpoint Identity Group and place the MAC addresses for the MAB clients in this group

2. Go to Policy Elements > Results and create an authorization result policy for the MAB devices

3. Go to Policy Sets and edit the MAB policy, if one doesn't exist create a MAB policy Condition should be Wired_MAB and Allowed Protocols should be Default Network Access

4. Edit the policy you just created and under Authentication Policy create a new policy where the condition is Wired_MAB and under "use" select Internal Endpoints

5. Under Authorization Policy where the condition matches "Identity Group Name EQUALS Endpoint Identity Groups:<name of identity group that you have created earlier>"

6. Under "Result: Profiles" select the Authorization result policy you created earlier.

7. Save the configuration

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

7 Replies 7

Go to solution
Marius Gunnerud
VIP
VIP

‎10-06-2018 10:42 AM

You would need to create an Identity source sequence and then reference Internal Endpoints.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
anson-bates
Level 1
Level 1
In response to Marius Gunnerud

‎10-06-2018 10:50 AM

The issue I am running into is that ISE is dynamically adding MAC address once plugged into a switch port. How do I turn this off
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to anson-bates

‎10-06-2018 12:26 PM

I am not entirely sure how you have configured your policy but this is an example of what you could do.  Keep in mind that the following will match all wired MAB (and possibly wireless MAB depending on how your Policy set is configured).

 

1. create an Endpoint Identity Group and place the MAC addresses for the MAB clients in this group

2. Go to Policy Elements > Results and create an authorization result policy for the MAB devices

3. Go to Policy Sets and edit the MAB policy, if one doesn't exist create a MAB policy Condition should be Wired_MAB and Allowed Protocols should be Default Network Access

4. Edit the policy you just created and under Authentication Policy create a new policy where the condition is Wired_MAB and under "use" select Internal Endpoints

5. Under Authorization Policy where the condition matches "Identity Group Name EQUALS Endpoint Identity Groups:<name of identity group that you have created earlier>"

6. Under "Result: Profiles" select the Authorization result policy you created earlier.

7. Save the configuration

--
Please remember to select a correct answer and rate helpful posts

Go to solution
janis.heffe
Level 1
Level 1
In response to Marius Gunnerud

‎07-09-2019 12:58 AM

i have the same original problem.

we have a ISE 2.4 with Patch 8 installed.

For same reason i can't create a Authorization Policy for the group.

If i assign a custom Tag to the endpoint than i can use that tag in the AuthZ Policy. But we would like to avoid that.

I can only setup a policy against the InternalUser store and note the Endpoints.

The Endpoint Dictionary only gives me the custom field and same others but not the Identity Group.

i attached same screenshots that show the steps

Preview file
31 KB
Preview file
21 KB
Preview file
54 KB
Preview file
38 KB
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to janis.heffe

‎07-09-2019 01:16 PM

Is this something worked before for you? There are examples of working authorization rules here for endpoint groups

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475#toc-hId--916002297
0 Helpful

Go to solution
janis.heffe
Level 1
Level 1
In response to Jason Kunst

‎07-10-2019 01:16 AM

thank you very much.

for same reason i couldn't find it.

It is a new installation and we are in the process of getting ready to migrate from ACS to ISE. We are moving forward to the testing phase.

0 Helpful

Go to solution
DHCBT
Level 1
Level 1
In response to anson-bates

‎03-25-2022 07:08 AM

Sorry to bring up an old thread but did you ever find an answer to this quest? I would greatly appreciate a response. Thanks!

0 Helpful
Customers Also Viewed These Support Documents