06-29-2021 06:47 AM
Dear community,
I need help on defining MAB rules for Domain and Non Domain machines that use MAB protocol only.
Currently having three use cases in mind:
1. Wired MAB HQ = Non domain - isolate it to VLAN 35
2. Wired MAB Branch = Non domain - Deny All
3. Wired MAB Domain - !!! Not sure on what checks to do let Domain machines to enter domain network access.
Do you have any idea on how to define the third rule and the order of the whole three rules?
Looing forward to hearing your ideas from you.
Thank you,
Laura
Solved! Go to Solution.
06-29-2021 07:17 AM
For the 3rd rule, use the AD Probe to query Active Directory to determine whether the host is joined to the domain. Create a custom profile based on AD Joined and use this profile in the AuthZ rule. Place this rule above the other rules. Non-domain computers would not match this rule. Ideally domain joined computers would used dot1x and not ever use MAB to AuthC/AuthZ.
HTH
06-29-2021 07:17 AM
For the 3rd rule, use the AD Probe to query Active Directory to determine whether the host is joined to the domain. Create a custom profile based on AD Joined and use this profile in the AuthZ rule. Place this rule above the other rules. Non-domain computers would not match this rule. Ideally domain joined computers would used dot1x and not ever use MAB to AuthC/AuthZ.
HTH
07-05-2021 08:33 AM
Replace MAB with 802.1X as much as possible. If you have to use MAB, you may consider Easy Connect with domain computers.
In general, we will put first those more frequently used and/or those with more efficient conditions (e.g., not using an external ID source).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide