Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
468
Views
0
Helpful
1
Replies

MAB user failed to land correct Authorization policy after posture success

pemasirid
Level 1
Level 1

‎06-09-2013 01:31 PM - edited ‎03-10-2019 08:31 PM

Hi,

We have MAB user who authenticates via webportal using domain username/password and get the NAC web agent download and do the posture.

After posture is complated (say success/passed), the user is landing on Defaul Policy which is DenyAccess.

I have change the gestportal setting with enabling Vlan DHCP Release and CoA, but there is no luck. I have similar rules for wired dot1x and its working fine after posture part, only different is they are MAB users and authenticated via webportal and belongs to different user group in AD.

What we could see on the switch, once you authenticated, it get the Web Redirect and when the user authenticates in get the NAC web agent direct and after posture completed it again go back to Web portal redirection and giving error saying both dot1x and MAB failed,

Attached is the switch logs and ISE configuration and failed logs.

If someone has clue on this or has come across this issue, please update me.

Thanks in advance.

Labels:
Preview file
433 KB
0 Helpful
1 Reply 1

Richard Atkin
Level 4
Level 4

‎06-10-2013 01:00 AM

Instead of using the Wired_MAB prefix in your first three authorisation rules, refer to the Endpoint Identity Group instead. The reason you get Deny Access is because the event you're looking for isn't a MAC Auth event, and therefore those rules get skipped. Using the Endpoint Identity Group will allow you to evaluate the MAC Address and will get your rules working as required.

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents