09-24-2018 11:35 AM
So, I've been looking and have not found anything specific.
So, they are trying to add devices into AD using ieee802Device. Now, what I can't find other than mentions of this is if ISE can validate by these.
They set up a group I pulled into ISE, and added a device into the group. It fails with auth failed.
Can this be done, or does the device have to be a user account and not the ieee802Device?
Solved! Go to Solution.
09-25-2018 08:04 AM
09-24-2018 01:09 PM
Could you clarify your question again ?
Do you want to authenticate MAB endpoints via AD on ISE ?
I have a customer who is doing this using LDAP and placing different endpoints (profiles) in different OU on AD
09-25-2018 07:33 AM
We want to use AD and assign vlans based on groups. APs, thermal printers, laser printers etc.
I think the issue is they want to use the new Devices instead of user accounts, and I don't think ISE supports this way?
09-25-2018 07:44 AM
If I understand correctly you want to whitelist MAB devices on AD instead of ISE itself.
Not very common but can be achieved.
09-25-2018 08:04 AM
09-25-2018 10:01 AM
The reason they don't want to do ISE profiling is we really don't trust it to profile correctly. Right now the AP next to me is profiling as a Cisco Switch. They also would like to not have to buy 3000+ licenses for all these printers.
Jason, we tried that, and I guess i'm not sure if the failure is on ISE, or theme not setting up AD correctly for what we are doing.
09-27-2018 08:01 AM
09-27-2018 06:28 AM
Yes.
Each group then can whitelist their owned devices on AD using their credentials to get them into the network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide