Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
699
Views
0
Helpful
2
Replies

User authentication with MAB

Jason Weids
Level 1
Level 1

‎05-18-2018 02:46 AM - edited ‎02-21-2020 10:56 AM

Hello,

 

I am looking for help setting up a policy set that can change the VLAN based on the users AD group & if they are using a trusted device by MAB.

 

I have a working policy that currently uses a site location. If a device connecting in that location has its MAC address in one of the identity groups it will assign the appropriate VLAN in the policy.

 

What I am looking to do is authenticate the user on the device as well, so if it is a staff member it gets a different result from a computing staff member as long as the device is also in authenticated by MAB.

 

 

Labels:
Preview file
70 KB
0 Helpful
2 Replies 2

Joseph Johnson
Level 1
Level 1

‎05-18-2018 04:20 AM - edited ‎05-18-2018 04:23 AM

Yes. You can utilize the endpoint group and the user external (or internal) group in the authorization policy. ISE will check both conditions and if true it will assign the appropriate policy result.

 

If you have a rule that is doing only MAB (no user logged in), be sure the new rule that has the endpoint group and the user group is above that rule so it hits first.

0 Helpful

ajc
Level 7
Level 7

‎05-18-2018 07:26 AM - edited ‎05-18-2018 07:30 AM

Just to let you know, I have seen changes on the Endpoint Group value once an enduser is authenticated using 802.1x. So if you want to authenticate users, be aware of this.

0 Helpful
Customers Also Viewed These Support Documents