Scenario 1. Switch port configured for MAB and dot1x. Cisco ISE 2.2 configured for network authentication.
Dell laptop is then connected to switch port. ISE dynamically profile the laptop as Dell. Adds the MAC address to the internal endpoint database.
Authentication passes. Default authorisation permit access.
Question. Why is ISE adding the MAC address to the internal endpoint database. Surely this is a security risk. If ISE is dynamically profiling then adding to the internal endpoint database. An attacker can connect his laptop to a switch and be authenticated. How do you stop this without creating and authorisation profile to restrict access. Surely you should be able to configure ISE so authentication fails.
Scenario 2. Following the Central web authentication work flow. I can not get authentication to fail because every device i connect to the port is dynamically profiled and added to the internal endpoint database. Then authentication passes.
Question 2. The default behaviour of ISE which is to profile and add device in to endpoint database and then pass authentication for device will mean you can never pass phase 1 of the CWA work flow. How do you get around this?
In most cases, Internal Endpoints is only used for authentication. Authorization is used in conjunction with a specific Profiled group (say Dell, Cisco IP phone) to allow access.
For CWA, you would need to authenticate known mac addresses and allow unknown mac address to authenticate. Authorization is where you would use a policy to catch any unknown mac address into the CWA redirect.
To Clarify further my understanding
MAB authentication is for devices on the network, IP Camera, Card readers etc..
So this matches one of my use cases. Excellent.
From your explanation I understand that authentication and authorisation will have to work hand in hand for the requirement.
For CWA to work you have to fail MAB authentication. (As the device is a guest/unknown on your network).
So the MAB rule/condition is "if authentication = failed" & "If user not found = continue" in the internal endpoints database.
At this point the authorisation rule configured will send down the redirect URL.
The problem I'm hitting is the default behaviour of ISE is to profile and add the device into the Endpoint database. So Phase 1 of CWA with the above condition will not pass because ISE has profiled and added the guest device into the internal endpoint database.
I'm guess the MAB rule may have to change to something like >
"if authentication = failed" & "If user not found = continue" in the internal endpoints database. profile group (i.e hp printers)
So is my thinking correct that if there is multiple authentication conditions then the authorization condition that has the profile "PermitAccess" should also have more than just the condition "Network_Access_Authentication_Passed" which is what the default policy is doing. It should be "Wired_802.1x and Network_Access_Authentication_Passed" so that a wired MAB that passes auth but is not yet part of a specific endpoint group such as an IP Phone group or Printer group will be denyied access.