Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1824
Views
10
Helpful
2
Replies

Policy set rules AuthC and AuthZ MAB order best practices - ISE

Go to solution
laurathaqi
Level 3
Level 3

‎06-29-2021 06:47 AM

Dear community, 

 

I need help on defining MAB rules for Domain and Non Domain machines that use MAB protocol only. 

 

Currently having three use cases in mind: 

 

1. Wired MAB HQ = Non domain - isolate it to VLAN 35

2. Wired MAB  Branch = Non domain - Deny All

3. Wired MAB Domain - !!! Not sure on what checks to do let Domain machines to enter domain network access.

 

Do you have any idea on how to define the third rule and the order of the whole three rules? 

 

Looing forward to hearing your ideas from you. 

 

Thank you,

Laura 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎06-29-2021 07:17 AM

@laurathaqi 

For the 3rd rule, use the AD Probe to query Active Directory to determine whether the host is joined to the domain. Create a custom profile based on AD Joined and use this profile in the AuthZ rule. Place this rule above the other rules. Non-domain computers would not match this rule. Ideally domain joined computers would used dot1x and not ever use MAB to AuthC/AuthZ.


HTH

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎06-29-2021 07:17 AM

@laurathaqi 

For the 3rd rule, use the AD Probe to query Active Directory to determine whether the host is joined to the domain. Create a custom profile based on AD Joined and use this profile in the AuthZ rule. Place this rule above the other rules. Non-domain computers would not match this rule. Ideally domain joined computers would used dot1x and not ever use MAB to AuthC/AuthZ.


HTH

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-05-2021 08:33 AM

Replace MAB with 802.1X as much as possible. If you have to use MAB, you may consider Easy Connect with domain computers.

In general, we will put first those more frequently used and/or those with more efficient conditions (e.g., not using an external ID source).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents