Solved: MAB Endpoint ID groups

jrowling · ‎11-14-2016

Hi,

I tried in the lab recently to use MAB to put different sets of devices into the correct SGT group.

We created an Endpoint ID Group, and added in the devices to it (mac address, device type, and ID group). We then created an Auth Condition to reference this condition, and finally an Auth Policy rule using the condition.

However we did not get consistent results – it seems that sometimes the device was picked up by this rule, sometimes not. At one point the profiling service picked up the devices with the mac address in a different format, so we tried disabling profiling and adding in the devices manually.

Do you have a view on the correct way to do this ?

We ran out of time in the lab, so at the moment can't troubleshoot further, but wanted to be prepared for when we try again.

kthiruve · ‎11-14-2016

Hi,

The lab should have instructions on that. Were you able to get the instructions from the lab?

When you create an endpoint, you can statically assign the endpoint to that group or dynamically.

if you want to statically assign the groups, you need to click on the option as you create the end point to assign to a group.

Once that is done, you can go to the authorization policy and make sure the most restrictive policy is on the top and least restrictive is at the bottom so that ISE can choose the right authorization policy when it profiles an endpoint dynamically

Please take a look at the profiling section of the ISE design guides to understand more on how it works.

ISE Design & Integration Guides

Thanks

Krishnan

View solution in original post

kthiruve · ‎11-14-2016

Hi,