cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1781
Views
0
Helpful
5
Replies
hugomejias
Beginner

Problem to authenticate MAC address on ISE

Hi guys,

I have a Lab with a ISE ver 1.1.1 installed on VMWARE, a Switch 3750, a WLC 4200 and one AP registered on WLC, the WLC and AP are connected to Switch, we are testing the user authentication using a samsung tablet and it work ok. The authentication procces is using the actual AD. the issue is when I try to authenticate de device using their MAC address. I'm reading many pappers, but no one explain me the steps to do the both autentication: by user and by MAC address using the ISE.

can any one help me about the authenticacion MAC address process on ISE. the  final deployment our client want to use user and device authentication.

Thank you for your attention on this matter.

5 REPLIES 5
Tarik Admani
Advocate

Hugo,

Can you please post the configuration of your port? You might want to consider device registration web authentication, this is a feature that you can enable which creates a portal that appears to be a AUP page which statically assigns the users to an endpoint identity group. I posted a write up of this and can be found here with screenshots and the user experience.

https://supportforums.cisco.com/docs/DOC-26667

You can download the pdf it looks much better.

Thanks,

Tarik Admani
*Please rate helpful posts*

Hi Tarik,

Thanks for your reply,

the port configuration of SW is it:

DEMOSW# sh run int Gi2/0/11

description Access Wireless LAN Controller

switchport trunk encapsulation dot1q

switchport mode trunk

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

dot1x pae authenticator

spanning-tree portfast

DEMOSW# sh run int Gi2/0/12

description Access Point

switchport access vlan 103

spanning-­tree portfast

Our goal is that the MAC address Tablets can be authenticated using the ISE Internal Enpoints Database.

I hope you may help me about it.

Thank you for your attention on this matter.

Regards.

Hugo,

If you are trying to authenticate the tablets via wireless then you must have the mac filtering option set in the Layer 2 Security submenu. on the WLC. What version of code are you running on the WLC?

thanks,

Tarik Admani
*Please rate helpful posts*

Hi Tarik,

Version of IOS: 7.0.235.0

Is a Cisco WLC 4400 Series.

Let me know if you need anything else.

Ragards.

Hugo,

Do you have mac filtering enabled? If so, do you see the mac address being authenticated succesfully. You will have to enable both mac filtering and dot1x authentication.

Thanks,

Tarik Admani
*Please rate helpful posts*

Content for Community-Ad