Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
411
Views
0
Helpful
2
Replies

Using local User identity store with Cisco MAB (ISE 1.4)

NETWORK SERVICES
Level 1
Level 1

‎10-23-2015 03:37 AM - edited ‎03-10-2019 11:10 PM

Hi

Is it possible to use the local "Users" identity store (ISE 1.4) with MAB (MAC Auth Bypass)?

We have a need to allow the same MAC address to be used on different VLAN's

at different locations (sites). This doesn't seem to be possible using the Endpoint store,

as you can only specify the MAC to be part of one group.

In testing I can't get MAB (Cisco 3650) to authenticate successfully when the MAC address

(example username=00aa22bbcc33, pwd=00aa22bbcc33) is in the User store.

 

regards

Martyn

Network Services

University of South Wales

Labels:
0 Helpful
2 Replies 2

jan.nielsen
Level 7
Level 7

‎10-23-2015 12:54 PM

No.

Are we talking a few sites, or many sites ?

If it's just a few different sites, you could just create an authorization rule per site by placing the switches in different locations when you add them to ISE, then create rules that look in the same endpoint group, and what location the switch is on, and then send different vlans in your authz result.

Also, if we are talking about the vlan id is different on different sites but used for the same thing, then just name the vlan the same name, and send the vlan name instead.

 

0 Helpful

Tim Steele
Level 1
Level 1
In response to jan.nielsen

‎10-24-2015 11:08 AM

If you have a number of sites to deal with, another potential option is to use a vlan group on the switch.  Each vlan group is locally significant to the switch - in other words, you could create a vlan group name that is consistent across all switches, but each switch could have the relevant vlan mapped to this vlan group name (kind of like an alias).  This will keep your authz profile count down, but give you the ability to have the endpoints placed in a vlan that is locally significant to that switch.  It will also keep you from having to rename vlans - again, no big deal if there are only a small number of sites as Jan already stated.  I worked with a university campus with a number of buildings and all had different vlan numbers and naming so it worked well in that scenario.

This is similar to the Interface Groups concept in the WLC.  However, one word of caution, do NOT use more than one vlan when defining the vlan-list if you are using machine and user auth (MAR), or dynamic DNS.  Unlike the WLC, the switch does not have the intelligence to realize that if you just performed a machine auth for an endpoint, you'll want to use the same vlan for the upcoming user auth. 

Here is an example from my aging 3750v1:

vlan group data vlan-list 19

Hope that helps.

Tim

0 Helpful
Customers Also Viewed These Support Documents