cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
698
Views
0
Helpful
2
Replies

User authentication with MAB

Jason Weids
Level 1
Level 1

Hello,

 

I am looking for help setting up a policy set that can change the VLAN based on the users AD group & if they are using a trusted device by MAB.

 

I have a working policy that currently uses a site location. If a device connecting in that location has its MAC address in one of the identity groups it will assign the appropriate VLAN in the policy.

 

What I am looking to do is authenticate the user on the device as well, so if it is a staff member it gets a different result from a computing staff member as long as the device is also in authenticated by MAB.

 

 

2 Replies 2

Joseph Johnson
Level 1
Level 1

Yes. You can utilize the endpoint group and the user external (or internal) group in the authorization policy. ISE will check both conditions and if true it will assign the appropriate policy result.

 

If you have a rule that is doing only MAB (no user logged in), be sure the new rule that has the endpoint group and the user group is above that rule so it hits first.

ajc
Level 7
Level 7

Just to let you know, I have seen changes on the Endpoint Group value once an enduser is authenticated using 802.1x. So if you want to authenticate users, be aware of this.