Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1208
Views
5
Helpful
17
Replies

MAB Authz Condition Matching Options

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-28-2019 12:44 PM

Currently I am in the process of configuring the default mab authz rule to use CWA with a guest portal for hosts that plug into my SDA fabric that dont match any other rules.

 

Current issue I am facing:
We utilize NAM/eap-chaining to authenticate computer + user via eap-fast(eap-tls) with certs/cac cards. I have several policies setup that have different results depending on the eapchaining result. Everything works great and as planned, except when a user simply locks their host prior to going home. Per requirements we re-authenticate every 60 minutes. If users reboot their host prior to heading out the eapchaining result is machine pass with user fail. For the users that simply lock their box, NAM eventually looks for user CAC, and 8021x process fails so they fallback to mab.

 

I have attempted setting up authz conditions that are based on eapchaining result EQUALS no-chaining. This seems to work during testing for a short period of time before the endpoint abandons session and fallsback to mab.

 

I am looking for suggestions on how I can keep the default rule redirecting unknown hosts to the portal, and also figure out a solution for the users who may simply lock their host when leaving for the day that fallback to mab. This will need to be a rule above the default obviously.

 

Thanks in advance!

0 Helpful
17 Replies 17

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to paul

‎03-19-2019 11:22 AM

Last question I have on this topic since profiling is not my sweet spot at the moment. BTW you have been extremely helpful. Am I able to automatically purge MACs that will get profiled with my new profile into the L2 endpoint group after like 30 days of inactivity? Let's say I have 1000 MACs in here, all 1000 hosts are removed in AD, and another 1000 hosts are introduced, will the endpoint group have just the 1000 new hosts or 2000 hosts? What is the easiest way to remove stale MACs? Thanks in advance.
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Mike.Cifelli

‎03-19-2019 11:59 AM

@paul Disregard my last question. I just realized that I can setup endpoint purge policies. Thanks again!
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Mike.Cifelli

‎03-19-2019 12:02 PM

Just remember inactive days only works if you have properly setup reauthentication on all your wired results.  All wired results should have a wired reauthentication timer set (we usually use 65,000) and the switch needs to be setup properly to accept it:

authentication periodic
authentication timer reauthenticate server

0 Helpful
Customers Also Viewed These Support Documents