01-05-2025 11:43 AM
I am facing an issue with Cisco ISE version 3.3. I created a policy for wireless MAB authentication to restrict access for certain endpoints, as shown in the attached image. However, unauthorized endpoints are still able to connect to the SSID by matching the default ‘Default_Authenticated_Access’ policy. Disabling this policy causes issues with access to other SSIDs. How can I resolve this?
Solved! Go to Solution.
01-09-2025 12:58 PM - edited 01-09-2025 01:03 PM
What your very first screenshot tells me, is that you have built a bunch of Authentication Rules under a single Policy Set.
You have not shown us your top-level Policy Set - and I think this is where the problem lies.
You should create a Separate Policy Set for each type of Policy - e.g. in the top-level ISE Policy Set, create stuff like this:
If you want to build logic for Wireless MAB, then click into the Wireless MAB Policy (click on the far right ' > ' icon, and then start building Authentication and Authorization logic.
If you have a bunch of SSIDs, then you can also keep the Policy Set nice and tidy by creating one Policy per SSID at the top level. That would obviously also be the case for separating Guest Wireless (Wireless_MAB & Normalised SSID Contains 'GUEST') and 802.1X (Wireless_802.1X & Normalised SSID Contains 'Corp') -etc.
The Smart Condition 'Wireless_MAB' assumes that your NAD has been tagged with the appropriate vendor (e.g. Cisco, HP etc.) since some NAD devices send different RADIUS attributes during MAB - ISE abstracts this with 'Wireless_MAB'. You can further abstract the SSID name with the Smart Condition 'Normalised RADIUS: SSID' instead of referring to Called-Station-ID (under the hood it uses Called-Station-ID, but the SSID condition is more descriptive to the human).
I noticed that your Guest Redirection Rule 'UTC-Guest_GuestAccessPolicy' comes AFTER the 'UTC-Guest_RediretPolicy' - the logic is wrong - if your Rule is Wireless MAB & SSID UTC-Guest, then this will be true every time, and the rule that follows it won't ever be matched. You need to swap them around - the more specific Rules must always come before the less specific rules, when there is common logic. And also 'UTC Guest Redirect' rule is the wrong description - swap the descriptions of the UTC Guest Rules.
If wireless MAB is failing through to the default Policy, then it means that ISE is not matching all the conditions, and perhaps the NAD is not sending the attributes you expect.
Is the NAD Cisco AireOS, 9800, Meraki ,or what?
e.g. If I recall, Meraki uses PAP authentication, and not MAB. That requires a different set of Rules.
But I think your main issue is that you have not split out your Policy Sets to make the logic clear/clean.
01-05-2025 11:51 AM
Can I see policy set you use in ISE
MHM
01-05-2025 12:00 PM
How are you matching the Mac address?
If you disable the Default_Authenticated_Access other SSID is impacted, maybe is better review your policies.
01-05-2025 12:17 PM
After disabling Default_Authenticated_Access, trying to associate and loading not gaining access for all ssids MAB or dot1x
01-05-2025 12:14 PM - edited 01-05-2025 12:32 PM
@Flavio Miranda @MHM Cisco World
Here’s the authentication and authorization policies.
as I said before the unauthorized mac hits in basic_authenticated_access policy as shown in live logs
01-05-2025 01:22 PM - edited 01-05-2025 01:26 PM
I am looking the print over a smartphone. I can not see where you setup the wlan ID for Mab.
01-05-2025 01:35 PM
called-id <<- how you config this in WLC and under policy set, I see only end with can you more elborate
MHM
01-05-2025 08:58 PM - edited 01-05-2025 11:19 PM
@MHM Cisco World @Flavio Miranda
I’m using condition called-station-Id ends with “ssid name”.
FYI the unauthorized MACs assigned to policy’s SGT or authorization profile and it shouldn’t be happened.
I mean that unauthorized devices assign the vlan and take ip address from vlan pool then hit in basic_ authenticated_access policy
I don’t know if it’s related with authentication policy or not
01-05-2025 11:21 PM
can you add match called-id (with SSID) for guest policy ?
MHM
01-06-2025 12:52 AM
Already added. Check highlights
01-09-2025 12:04 AM
I will send you PM tomorrow
MHM
01-09-2025 12:58 PM - edited 01-09-2025 01:03 PM
What your very first screenshot tells me, is that you have built a bunch of Authentication Rules under a single Policy Set.
You have not shown us your top-level Policy Set - and I think this is where the problem lies.
You should create a Separate Policy Set for each type of Policy - e.g. in the top-level ISE Policy Set, create stuff like this:
If you want to build logic for Wireless MAB, then click into the Wireless MAB Policy (click on the far right ' > ' icon, and then start building Authentication and Authorization logic.
If you have a bunch of SSIDs, then you can also keep the Policy Set nice and tidy by creating one Policy per SSID at the top level. That would obviously also be the case for separating Guest Wireless (Wireless_MAB & Normalised SSID Contains 'GUEST') and 802.1X (Wireless_802.1X & Normalised SSID Contains 'Corp') -etc.
The Smart Condition 'Wireless_MAB' assumes that your NAD has been tagged with the appropriate vendor (e.g. Cisco, HP etc.) since some NAD devices send different RADIUS attributes during MAB - ISE abstracts this with 'Wireless_MAB'. You can further abstract the SSID name with the Smart Condition 'Normalised RADIUS: SSID' instead of referring to Called-Station-ID (under the hood it uses Called-Station-ID, but the SSID condition is more descriptive to the human).
I noticed that your Guest Redirection Rule 'UTC-Guest_GuestAccessPolicy' comes AFTER the 'UTC-Guest_RediretPolicy' - the logic is wrong - if your Rule is Wireless MAB & SSID UTC-Guest, then this will be true every time, and the rule that follows it won't ever be matched. You need to swap them around - the more specific Rules must always come before the less specific rules, when there is common logic. And also 'UTC Guest Redirect' rule is the wrong description - swap the descriptions of the UTC Guest Rules.
If wireless MAB is failing through to the default Policy, then it means that ISE is not matching all the conditions, and perhaps the NAD is not sending the attributes you expect.
Is the NAD Cisco AireOS, 9800, Meraki ,or what?
e.g. If I recall, Meraki uses PAP authentication, and not MAB. That requires a different set of Rules.
But I think your main issue is that you have not split out your Policy Sets to make the logic clear/clean.
01-09-2025 02:42 PM
@Arne Bier You are right.
Regarding guest, it’s created by cisco catalyst center with this sequence.
01-09-2025 02:56 PM
Are you getting hits on the UTC Guest_GuestAccessPolicy? And does Guest work as expected?
Unless I missed something, the second Rule should have no hits, because it makes no logical sense in that order, because ISE does not look ahead in the rules to see if there is a better match - it stops when the conditions satisfy the Boolean operator - in this case it's an AND, which means both conditions must be TRUE to make the AND operator succeed.
01-09-2025 04:40 PM
so in end it solved or NOT ? can you confirm
Thanks a lot
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide