Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2312
Views
0
Helpful
5
Replies

MAB Authentication operation and its interaction with Authorization

Go to solution
bbriggs
Level 1
Level 1

‎02-20-2017 11:45 AM - edited ‎03-11-2019 12:28 AM

We are using a default Wired_MAB configuration.

As I understand it a device tries to authenticate and as part of this the identity store i.e. the local internal identity store is queried.

If this is a new device it isn't in the Identity Store, however our new device seems to get added.

Is it the case that authentication proceeds after MAB with ISE continuing to Authorization Rules, if a device passes profiling it is added to the Identity Store and having been added, at THAT point authentication can now be successful?

It has always seemed odd to me that there does not seem to be a failure condition within Authentication for MAB devices, however if a device fails to profile i.e. Authorize, it also fails authentication.

Can someone clarify this?

Thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee

‎02-20-2017 01:00 PM

Hi,

In MAB, authentication use Internal Endpoint where If user not found "CONTINUE"

It will move to authorization policy. MAC address gets added in ISE database as per profiled Endpoint.

Even if it doesn't match any profiling policy, it will become part of Unknown endpoint.

As per second query, it fails authentication because RADIUS has one packet for authentication and authorization. So even it passes authentication and failed in authorization, you will get failed authentication report.

Regards

Gagan

PS: rate helpful posts!!!!!

View solution in original post

0 Helpful

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee

‎02-20-2017 01:23 PM

Please rate as correct if it helps!!!!

Also let me know if you have any concerns on this thread...

Regards

Gagan

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee

‎02-20-2017 01:00 PM

Hi,

In MAB, authentication use Internal Endpoint where If user not found "CONTINUE"

It will move to authorization policy. MAC address gets added in ISE database as per profiled Endpoint.

Even if it doesn't match any profiling policy, it will become part of Unknown endpoint.

As per second query, it fails authentication because RADIUS has one packet for authentication and authorization. So even it passes authentication and failed in authorization, you will get failed authentication report.

Regards

Gagan

PS: rate helpful posts!!!!!

0 Helpful

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee

‎02-20-2017 01:23 PM

Please rate as correct if it helps!!!!

Also let me know if you have any concerns on this thread...

Regards

Gagan

0 Helpful

Go to solution
bbriggs
Level 1
Level 1

‎02-22-2017 09:56 AM

Thanks for that. That's a great help.

0 Helpful

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee
In response to bbriggs

‎02-22-2017 10:49 AM

Your Welcome!!!!!

0 Helpful

Go to solution
JonMoss92624
Level 1
Level 1
In response to Gagandeep Singh

‎07-16-2020 07:15 AM

Hi, appreciate this is now an old thread but wondering if you can help me, i have the exact same query as above.  I don't want the MAC address to be auto-populated into the inventory in the case where the device is unknown it should remain unknown and rejected.  Any idea's how i can resolve this?

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents