Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1269
Views
0
Helpful
7
Replies

ISE v1.4. MAB question

Go to solution
Boris Uskov
Level 4
Level 4

‎07-20-2015 11:51 PM - edited ‎03-10-2019 10:55 PM

Hello to everyone.

I'm absolutely new with ISE and need some help. I'm stuck with configuring Mac Authentication Bypass in my lab environment. So, here is my problem.

I have a laptop, which is connected to a switch port. On the switch port I have configuration for MAB.

When the port is up for the first time, the MAB authentication is unsuccessful, because I don't have any Identities configured in my ISE server (Administration -> Identities -> Endpoints is empty). And this is an expected behaviour.

But, after that unsuccessful authentication I can see, that the Identity for my laptop appears AUTOMATICALY in the section Administration -> Identities -> Endpoints. So, when I do shut/no-shut on the switchport the second time, the MAB authentication passes SUCCESSFULLY. I want to avoid such behaviour. So the question is, why after unsuccessful authentication my laptop appears in the section of Endpoint Identitites?

Please, see some attachments.

I appreciate any help, thanks.

Labels:
Preview file
170 KB
Preview file
1 KB
Preview file
2 KB
Preview file
163 KB
Preview file
1 KB
Preview file
154 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7

‎07-21-2015 04:29 PM

Don't be confused that it is authenticating, it is supposed to. All endpoints that attempt to authenticate, will have their mac address created in the internal endpoints db. You should however not be granted access, unless you have an authorization policy that is not created specifically enough. Usually if you wan't to actually use mab for something, you will create a endpoint group like "printers", and then have an authorization rule that matches on the Wired_MAB compound condition, and identity group "printers", and if your bottom rule is DenyAccess, only mac adresses in  "printers" will be allowed access.

 

 

 

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
jan.nielsen
Level 7
Level 7

‎07-21-2015 04:29 PM

Don't be confused that it is authenticating, it is supposed to. All endpoints that attempt to authenticate, will have their mac address created in the internal endpoints db. You should however not be granted access, unless you have an authorization policy that is not created specifically enough. Usually if you wan't to actually use mab for something, you will create a endpoint group like "printers", and then have an authorization rule that matches on the Wired_MAB compound condition, and identity group "printers", and if your bottom rule is DenyAccess, only mac adresses in  "printers" will be allowed access.

 

 

 

 

0 Helpful

Go to solution
Boris Uskov
Level 4
Level 4
In response to jan.nielsen

‎07-21-2015 11:43 PM

Hello, Jan.

Thanks for your explanation, now it is clear for me!

I only want to add, that in my default MAB Authentication policy I had an action "Continue" for the condition "If user not found in Internal Endpoints db" (attach). I tried to change the action to "Reject". After that Authentification is always unsuccessful (as expected), and laptop's mac-address is not automaically placed into Internal Endpoints db. If I understood correct, if the action is set to "Reject", the proccess stops at that point and Authorization policies are not even taking place.

So, thank you!

Preview file
156 KB
0 Helpful

Go to solution
y.lo
Level 1
Level 1
In response to Boris Uskov

‎07-21-2015 11:52 PM

Boris, I got the exact same issue as yours, except that we are using MAB for wireless clients and we are on version 1.3.

 

The action for "if user not found" is already "Reject", but the wireless client's mac address is still automatically placed into Internal Endpoint db. We are still struggling with this issue.

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to y.lo

‎07-22-2015 05:30 AM

But the problem is not authentication, it's authorization. If your endpoints are getting access, they must match an authorization rule, so the thing you need to figure out is which rule it is matching, and why are you allowing these mac addresses in your authorization rules?

0 Helpful

Go to solution
y.lo
Level 1
Level 1
In response to jan.nielsen

‎07-22-2015 05:37 AM

Yes we figured out a way to prevent the unwanted mac address from passing the authorization rule.

But what is the point of letting such unwanted mac address to pass the authentication rule in the first place? Why don't we just stop it in the authentication phase?

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to y.lo

‎07-22-2015 05:42 AM

The main reason is that at authentication, you don't know if that mac address should be allowed or not, it could be a member of a specific endpoint group that needs access, so instead of having to create a rule in authentication policy for each group of mac addresses you wan't to give access, this is done in authorization, makes it much simpler, as you only need to create authz rules when doing something new.

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to Boris Uskov

‎07-22-2015 05:28 AM

You are correct, if you choose reject, it won't proceed to going through the authorization rules, and just reject the endpoint during the authentication phase. Be aware that your mab authentication rule will have to be set to continue for unknown user, if you at some point need to use guest access via CWA with ise.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents