Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9097
Views
18
Helpful
6
Replies

New to Cisco ISE and wish to know how to configure ISE for Web Auth and MAB from WLC

Go to solution
graham-edwards
Level 1
Level 1

‎05-03-2017 04:01 PM

We have just bought the Cisco ISE 2.2 (But still running on Eval at the moment) and I am trying to configure this as the MAB authentication for the Cisco WLC – Presently we have a couple of SSIDs which we do Web Authentication on and then failing that goes to MAC Authentication – we do both of these on the WLC – but we want to be able to add the User Data Base for Web Auth and the MAC address lists onto the ISE? (As we have 2 WLC’s is a pain keeping info up to date on both)

I have had a good look around and am having trouble working out exactly where/ how I can do this – could you maybe point me in the right direction? I am on site in PNG at the moment and need to get this sorted before I can leave

Thanks in advance for your assistance.

1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to graham-edwards

‎05-04-2017 04:15 PM

Hi Graham

Oh I see.  You Create a Endpoint Identity Group that is a container for the MAC addresses you wish to have bypassing the authentication (i.e. to pass the MAB) - below is a summary screen showing a simple EIG containing a dummy MAC address.  You can add them in manually or add them from the internal database if ISE has seen the MAC before

MAB1.png

And then you create a AuthZ policy that does something if the MAC is found in the EIG.

I can't recall whether it worked or not, but be careful with creating hierarchies (multi-level EIG's) - I have a feeling that the Policies don't work well (I didn't have success with that in ISE 1.4).  Perhaps keep is simple as above and create another EIG for WLC 02 etc.

View solution in original post

6 Replies 6

Go to solution
Arne Bier
VIP
VIP

‎05-03-2017 04:56 PM

Hi Graham

Not sure I understand your question exactly, but here is my take.  You have Web-Auth as well as the ability to auto-login users who have already passed the Web-Auth (so that they don't have to authenticate again within a certain time frame).  On the WLC you would have enabled MAC Authentication so that the WLC sends a Service-Type = "Call Check" and the MAC address of the client as soon as the client associates to the open SSID.

With an ISE web portal you can tell ISE in which Endpoint Identity Group to place the MAC address once the user has successfully authenticated.  This happens automagically and by default it's the GuestEndpoints (but as I said, you can configure your portal to place the MAC address in any user defined EIG based on the Guest Type (contractor, daily, etc.)).

Your Wirelress MAB Policy should then perform the following Authorization check

If GuestEndpoints AND Wireless_MAB then Guest_Permissions

If Wireless_MAB then Guest_WebRedirect

The first AuthZ Policy will fail when the user first connects, because he is not in the EIG.  The second Policy will redirect him to the Portal.  Iff the user authenticates successfully on the web portal, then the first Policy will apply - until such time as you remove that MAC address from the EIG.

Examples below

Contractor Guest Type.png

Contractor Guest Type 2.png

Contractor Guest Type 3.png

Go to solution
graham-edwards
Level 1
Level 1
In response to Arne Bier

‎05-04-2017 03:51 PM

thank you for your response. I am trying to understand where on the ISE i can create the MAB entry for the bypass - IE on the Cisco WLC it is currently under Security MAC Filtering - we can set a MAC Address, description, SSID and WLAN -- Where we would we create this detail on the ISE so we can use the ISE as the Database instead of this being on the WLC (Reason being we have more than one WLC and do not wish to create all the MAC Filtering entries on each WLC and went for the ISE so we can have a centralised data base for the MAC filters/ allow. We also perform Web Authentication from the WLC and again this has a local Data base o the WLC under Local Network Users or configured from the Lobby portal. We wish this Data base of users to also be centralised and not have t rely on a local WLC database - but instead each WLC be able to perform a lookup on the Cisco ISE. Thanks in advance for your assistance.

Go to solution
Arne Bier
VIP
VIP
In response to graham-edwards

‎05-04-2017 04:15 PM

Hi Graham

Oh I see.  You Create a Endpoint Identity Group that is a container for the MAC addresses you wish to have bypassing the authentication (i.e. to pass the MAB) - below is a summary screen showing a simple EIG containing a dummy MAC address.  You can add them in manually or add them from the internal database if ISE has seen the MAC before

MAB1.png

And then you create a AuthZ policy that does something if the MAC is found in the EIG.

I can't recall whether it worked or not, but be careful with creating hierarchies (multi-level EIG's) - I have a feeling that the Policies don't work well (I didn't have success with that in ISE 1.4).  Perhaps keep is simple as above and create another EIG for WLC 02 etc.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎05-03-2017 05:06 PM

Graham,

Recommend you take a look at How-To: Monitor Mode Deployment with ISE. See page 13 for how to Create a Whitelist for Endpoints. It will also show you how to Create an Authorization Profile for Whitelisted Devices. That should get you what you need!

Go to solution
ranjit123
Level 3
Level 3
In response to thomas

‎09-23-2018 10:42 PM

Hello All,

 

I need to do somewhat similar thing below are the details..

 

For 802.1x wireless users who have account in AD will be authenticated by AD

and will match the Authorization profile accordingly

 

For Wireless users who do not have AD account should be authenticated locally and there MAC addresses should be permitted in authorization, how can i do this??

  

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to ranjit123

‎09-24-2018 04:54 AM

Please provide more
Details in a new thread. It’s not clear to me
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents