Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1443
Views
0
Helpful
7
Replies

MAB, ISE, and AD

Go to solution
Dustin Anderson
VIP
VIP

‎09-24-2018 11:35 AM

So, I've been looking and have not found anything specific.

 

So, they are trying to add devices into AD using ieee802Device. Now, what I can't find other than mentions of this is if ISE can validate by these.

 

They set up a group I pulled into ISE, and added a device into the group. It fails with auth failed.

 

Can this be done, or does the device have to be a user account and not the ieee802Device?

0 Helpful
1 Accepted Solution

Accepted Solutions
7 Replies 7

Go to solution
umahar
Cisco Employee
Cisco Employee

‎09-24-2018 01:09 PM

Could you clarify your question again ?

Do you want to authenticate MAB endpoints via AD on ISE ?

I have a customer who is doing this using LDAP and placing different endpoints (profiles) in different OU on AD

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP
In response to umahar

‎09-25-2018 07:33 AM

We want to use AD and assign vlans based on groups. APs, thermal printers, laser printers etc.

 

I think the issue is they want to use the new Devices instead of user accounts, and I don't think ISE supports this way?

0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to Dustin Anderson

‎09-25-2018 07:44 AM

If I understand correctly you want to whitelist MAB devices on AD instead of ISE itself.

Not very common but can be achieved. 

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP
In response to Jason Kunst

‎09-25-2018 10:01 AM

The reason they don't want to do ISE profiling is we really don't trust it to profile correctly. Right now the AP next to me is profiling as a Cisco Switch. They also would like to not have to buy 3000+ licenses for all these printers.

 

Jason, we tried that, and I guess i'm not sure if the failure is on ISE, or theme not setting up AD correctly for what we are doing. 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Dustin Anderson

‎09-27-2018 08:01 AM

Troubleshoot with TAC then?
0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎09-27-2018 06:28 AM

Yes.

Each group then can whitelist their owned devices on AD using their credentials to get them into the network.

0 Helpful
Customers Also Viewed These Support Documents