cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2696
Views
0
Helpful
6
Replies

Wifi MAC authentication on ISE 1.3

y.lo
Level 1
Level 1

We are trying to configure ISE to authenticate wifi user through WLC using MAC address.

ISE checks against internal endpoint identity store for authorized MAC address.

We found that the first time a wifi device tries to connect (this MAC address has not yet been manually input in the internal endpoint identity store) the authentication fails which is normal. However after this authentication failure, such MAC address will be automatically input in the internal endpoint identity store. So next time the same wifi device tries to connect the authentication will succeed.

How to configure ISE to prevent this from happening?

6 Replies 6

jan.nielsen
Level 7
Level 7

An "authorized" mac address should be so, by putting it into a specific group in ISE manually, so that you have to move it there to allow it to connect. Then update your authz rule to only allow mac adresses from that specific internal group.

Just so we are clear, this is not for guest access right? Is it just an open ssid where you wan't to control what mac addresses are allowed on there ?

Yes they are authorized and not guest. I already put them into a endpoint identity Group. However in the authorization policy I can only select the built-in default internal endpoint identity group, not the one I created. However can I select the one I created?

Hi Daniel,

Make sure that in your Authentication Policy for MAB, If the user not found, give the option as

Drop.

Try with that.

I tried giving the option as Drop, but the MAC address is still stored in the internal endpoint database. And thus next time the same device authenticates, the authentication is successful, which is not desired.

When you create the identity group that you want to use in profiling, make sure you select "Yes, create matching Identity Group".

The group will become available for selection in your policy.

Otherwise, as you've found, every endpoint in the whole system will be allowed on by default.

I am not able to locate the item "Yes, create matching Identity Group" when creating the identity group.

Could you advise the specific location? Thanks a lot.