Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2408
Views
0
Helpful
6
Replies

Wifi MAC authentication on ISE 1.3

y.lo
Level 1
Level 1

‎02-25-2015 01:02 AM - edited ‎03-10-2019 10:29 PM

We are trying to configure ISE to authenticate wifi user through WLC using MAC address.

ISE checks against internal endpoint identity store for authorized MAC address.

We found that the first time a wifi device tries to connect (this MAC address has not yet been manually input in the internal endpoint identity store) the authentication fails which is normal. However after this authentication failure, such MAC address will be automatically input in the internal endpoint identity store. So next time the same wifi device tries to connect the authentication will succeed.

How to configure ISE to prevent this from happening?

Labels:
0 Helpful
6 Replies 6

jan.nielsen
Level 7
Level 7

‎02-25-2015 10:37 AM

An "authorized" mac address should be so, by putting it into a specific group in ISE manually, so that you have to move it there to allow it to connect. Then update your authz rule to only allow mac adresses from that specific internal group.

Just so we are clear, this is not for guest access right? Is it just an open ssid where you wan't to control what mac addresses are allowed on there ?

0 Helpful

y.lo
Level 1
Level 1
In response to jan.nielsen

‎02-25-2015 05:54 PM

Yes they are authorized and not guest. I already put them into a endpoint identity Group. However in the authorization policy I can only select the built-in default internal endpoint identity group, not the one I created. However can I select the one I created?

0 Helpful

krishnangangster
Level 1
Level 1
In response to y.lo

‎02-28-2015 10:00 PM

Hi Daniel,

Make sure that in your Authentication Policy for MAB, If the user not found, give the option as

Drop.

Try with that.

0 Helpful

y.lo
Level 1
Level 1
In response to krishnangangster

‎07-20-2015 01:20 AM

I tried giving the option as Drop, but the MAC address is still stored in the internal endpoint database. And thus next time the same device authenticates, the authentication is successful, which is not desired.

0 Helpful

bikespace
Level 1
Level 1
In response to y.lo

‎03-03-2015 02:53 PM

When you create the identity group that you want to use in profiling, make sure you select "Yes, create matching Identity Group".

The group will become available for selection in your policy.

Otherwise, as you've found, every endpoint in the whole system will be allowed on by default.

0 Helpful

y.lo
Level 1
Level 1
In response to bikespace

‎07-20-2015 01:18 AM

I am not able to locate the item "Yes, create matching Identity Group" when creating the identity group.

Could you advise the specific location? Thanks a lot.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents