cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
629
Views
3
Helpful
14
Replies

Unauthorized Endpoint Access Issue with Wireless MAB Authentication

tamer01
Level 1
Level 1

 

I am facing an issue with Cisco ISE version 3.3. I created a policy for wireless MAB authentication to restrict access for certain endpoints, as shown in the attached image. However, unauthorized endpoints are still able to connect to the SSID by matching the default ‘Default_Authenticated_Access’ policy. Disabling this policy causes issues with access to other SSIDs. How can I resolve this?

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

What your very first screenshot tells me, is that you have built a bunch of Authentication Rules under a single Policy Set.

You have not shown us your top-level Policy Set - and I think this is where the problem lies.

 

You should create a Separate Policy Set for each type of Policy - e.g. in the top-level ISE Policy Set, create stuff like this:

ArneBier_0-1736456613608.png

 

 

If you want to build logic for Wireless MAB, then click into the Wireless MAB Policy (click on the far right ' > ' icon, and then start building Authentication and Authorization logic.

If you have a bunch of SSIDs, then you can also keep the Policy Set nice and tidy by creating one Policy per SSID at the top level. That would obviously also be the case for separating Guest Wireless (Wireless_MAB & Normalised SSID Contains 'GUEST') and 802.1X (Wireless_802.1X & Normalised SSID Contains 'Corp') -etc.

The Smart Condition 'Wireless_MAB' assumes that your NAD has been tagged with the appropriate vendor (e.g. Cisco, HP etc.) since some NAD devices send different RADIUS attributes during MAB - ISE abstracts this with 'Wireless_MAB'.   You can further abstract the SSID name with the Smart Condition 'Normalised RADIUS: SSID' instead of referring to Called-Station-ID (under the hood it uses Called-Station-ID, but the SSID condition is more descriptive to the human).

I noticed that your Guest Redirection Rule 'UTC-Guest_GuestAccessPolicy' comes AFTER the 'UTC-Guest_RediretPolicy' - the logic is wrong - if your Rule is Wireless MAB & SSID UTC-Guest, then this will be true every time, and the rule that follows it won't ever be matched. You need to swap them around - the more specific Rules must always come before the less specific rules, when there is common logic.  And also 'UTC Guest Redirect' rule is the wrong description - swap the descriptions of the UTC Guest Rules.

If wireless MAB is failing through to the default Policy, then it means that ISE is not matching all the conditions, and perhaps the NAD is not sending the attributes you expect. 

Is the NAD Cisco AireOS, 9800, Meraki ,or what?

e.g. If I recall, Meraki uses PAP authentication, and not MAB. That requires a different set of Rules. 

But I think your main issue is that you have not split out your Policy Sets to make the logic clear/clean.

 

View solution in original post

14 Replies 14

Can I see policy set you use in ISE

MHM

@tamer01 

How are you matching the Mac address? 

If you disable the Default_Authenticated_Access other SSID is impacted, maybe is better review your policies. 

After disabling Default_Authenticated_Access, trying to associate and loading not gaining access for all ssids MAB or dot1x

tamer01
Level 1
Level 1

@Flavio Miranda @MHM Cisco World 
Here’s the authentication and authorization policies. 
as I said before the unauthorized mac hits in basic_authenticated_access policy as shown in live logs 

@tamer01 

I am looking the print over a smartphone. I can not see where you setup the wlan ID for Mab. 

called-id <<- how you config this in WLC and under policy set, I see only end with can you more elborate 

MHM

@MHM Cisco World @Flavio Miranda 

I’m using condition called-station-Id ends with “ssid name”.

FYI the unauthorized MACs assigned to policy’s SGT or authorization profile and it shouldn’t be happened.

I mean that unauthorized devices assign the vlan and take ip address from vlan pool then hit in basic_ authenticated_access policy 

I don’t know if it’s related with authentication policy or not 

can you add match called-id (with SSID) for guest policy ?

MHM

@MHM Cisco World 

Already added. Check highlights

I will send you PM tomorrow 

MHM

Arne Bier
VIP
VIP

What your very first screenshot tells me, is that you have built a bunch of Authentication Rules under a single Policy Set.

You have not shown us your top-level Policy Set - and I think this is where the problem lies.

 

You should create a Separate Policy Set for each type of Policy - e.g. in the top-level ISE Policy Set, create stuff like this:

ArneBier_0-1736456613608.png

 

 

If you want to build logic for Wireless MAB, then click into the Wireless MAB Policy (click on the far right ' > ' icon, and then start building Authentication and Authorization logic.

If you have a bunch of SSIDs, then you can also keep the Policy Set nice and tidy by creating one Policy per SSID at the top level. That would obviously also be the case for separating Guest Wireless (Wireless_MAB & Normalised SSID Contains 'GUEST') and 802.1X (Wireless_802.1X & Normalised SSID Contains 'Corp') -etc.

The Smart Condition 'Wireless_MAB' assumes that your NAD has been tagged with the appropriate vendor (e.g. Cisco, HP etc.) since some NAD devices send different RADIUS attributes during MAB - ISE abstracts this with 'Wireless_MAB'.   You can further abstract the SSID name with the Smart Condition 'Normalised RADIUS: SSID' instead of referring to Called-Station-ID (under the hood it uses Called-Station-ID, but the SSID condition is more descriptive to the human).

I noticed that your Guest Redirection Rule 'UTC-Guest_GuestAccessPolicy' comes AFTER the 'UTC-Guest_RediretPolicy' - the logic is wrong - if your Rule is Wireless MAB & SSID UTC-Guest, then this will be true every time, and the rule that follows it won't ever be matched. You need to swap them around - the more specific Rules must always come before the less specific rules, when there is common logic.  And also 'UTC Guest Redirect' rule is the wrong description - swap the descriptions of the UTC Guest Rules.

If wireless MAB is failing through to the default Policy, then it means that ISE is not matching all the conditions, and perhaps the NAD is not sending the attributes you expect. 

Is the NAD Cisco AireOS, 9800, Meraki ,or what?

e.g. If I recall, Meraki uses PAP authentication, and not MAB. That requires a different set of Rules. 

But I think your main issue is that you have not split out your Policy Sets to make the logic clear/clean.

 

@Arne Bier You are right.

Regarding guest, it’s created by cisco catalyst center with this sequence.

Are you getting hits on the UTC Guest_GuestAccessPolicy?  And does Guest work as expected?

ArneBier_0-1736463186137.png

Unless I missed something, the second Rule should have no hits, because it makes no logical sense in that order, because ISE does not look ahead in the rules to see if there is a better match - it stops when the conditions satisfy the Boolean operator - in this case it's an AND, which means both conditions must be TRUE to make the AND operator succeed.

so in end it solved or NOT ? can you confirm 

Thanks a lot

MHM