08-18-2021 09:28 AM - edited 08-18-2021 09:33 AM
Hi, pretty new to this so please be gentle.
We have a WLC that we setup for wireless Mac authentication on the local WLC database. I want to move this list of mac addresses to ISE. I am following a tutorial which says to create an endpoint identity group and add the mac addresses to that (I called it "IOT_Halls").
That's fine, however when I create the authentication policy (see attached) it doesn't contain the "IOT_Halls" identity group in the "use" drop down menu. Now the tutorial does say to use the "Internal Endpoints" option in the dropdown however I only want to use the mac addresses on the "IOT_Halls" list I created. I also don't understand what or where "Internal Endpoints" are/is? Finally, we have another policy that already uses "Internal Endpoints" (setup before my time) so this must contain mac addresses I don't want.
So I guess the two questions are:
- What is "Internal Endpoints" and where is this located in ISE?
- How do I use only the IOT_Halls list of Mac addresses in my authentication policy and not every 'internal endpoint'?
Many thanks, very much appreciated.
08-18-2021 02:12 PM
08-18-2021 03:17 PM - edited 08-19-2021 03:08 AM
Many thanks for your reply, I think I'm getting there I think.
I've setup a protocol called 'MAB' (see 'PolicySet' attached) as you suggested which allows the host lookup. I have conditions set to look for requests coming from the WLC and only on WLANID 6, can I ask what your condition named "Wireless MAB" actually looks for and I suppose how it is different from mine (other than the WLANID 6 bit obviously)?
I've managed to finally point to the IOT_halls group in the Authorisation policy (see attached) but had a question about the column labelled "Security Groups", what is this used for if I'm already pointing to a group? Is it needed at all?
Many thanks for your help.
08-19-2021 07:41 AM
So, the wireless MAB is just the default ISE rule. We use the auth policy rules to do the breakout. I would think where we call AD, you could check your group. You may need to just call MAB in the main policy, not sure if it will only take it as 802.1x otherwise. Probably many ways to try it. For wireless, we have 1 SSID for MAB, but break out based on 4 different groups and by location it's coming from and the vlans are different.
08-20-2021 01:52 AM
Thank you very much that's been really useful. Especially as I wouldn't have included the correct allowed protocol (MAB) as the tutorial I was looking at was from the older version of ISE and a little confusing when translating over to the newer version. I am ready to test on Monday and will pop a note to say how it goes. Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide