Cisco ISE configuration no internet access

jldebelder1984 · ‎06-06-2023

Hello,

I have been stuck for several days on an ISE authentication problem with SAML.

Microsoft authentication works fine then the ISE redirects to google.com and it fails to change the authorization profile. As he does not have Internet access with the basic ACL he returns to Microsoft authentication.

It does add my MAC address in the group: EIG_BYODEndpoints

my authorization profile:

If I cut my wifi and restart my connection, I have internet access directly without going through SAML authentication.

ianbirchall · ‎06-06-2023

Which Authorization Profile should it be hitting?
It is hitting the Endpoint ID group, but within the Profile set it is hitting default. I assume because there is no relevant Auth Profile with the BYOD User MAB

Kindest Regards,
Ian Tony Birchall

jldebelder1984 · ‎06-06-2023

Thank you for your answer.
With the default because it's his first connection.

What's weird is that when I log back in (after turning off wifi) then it matches with "BYOD USER MAB".

jldebelder1984 · ‎06-06-2023

After the SAML validation, he adds the mac address in the group but he can't match in the first Authorization Profile.

ianbirchall · ‎06-06-2023

If I am right, the First condition will match MACs in the EIG_BYODEnpoints So that make sense that the authorization is BYOD User MAB.
So the problem is with SAML validation, it should be achieving the same as the MAC is detailed and should be captured within the endpoints correct?

Kindest Regards,
Ian Tony Birchall

jldebelder1984 · ‎06-07-2023

Yes that's right.