How to setup wireless MAB using a specific group/list on ISE?

Mottok · ‎08-18-2021

Hi, pretty new to this so please be gentle.

We have a WLC that we setup for wireless Mac authentication on the local WLC database. I want to move this list of mac addresses to ISE. I am following a tutorial which says to create an endpoint identity group and add the mac addresses to that (I called it "IOT_Halls").

That's fine, however when I create the authentication policy (see attached) it doesn't contain the "IOT_Halls" identity group in the "use" drop down menu. Now the tutorial does say to use the "Internal Endpoints" option in the dropdown however I only want to use the mac addresses on the "IOT_Halls" list I created. I also don't understand what or where "Internal Endpoints" are/is? Finally, we have another policy that already uses "Internal Endpoints" (setup before my time) so this must contain mac addresses I don't want.

So I guess the two questions are:

- What is "Internal Endpoints" and where is this located in ISE?

- How do I use only the IOT_Halls list of Mac addresses in my authentication policy and not every 'internal endpoint'?

Many thanks, very much appreciated.

Dustin Anderson · ‎08-18-2021

From the image, you are on the starting policy page? Here you only set an allowed protocol for MAB, I believe you will then want to call the group you made in the rules under this section. We use AD groups for MAB, but should be similar.

Mottok · ‎08-18-2021

Many thanks for your reply, I think I'm getting there I think.

I've setup a protocol called 'MAB' (see 'PolicySet' attached) as you suggested which allows the host lookup. I have conditions set to look for requests coming from the WLC and only on WLANID 6, can I ask what your condition named "Wireless MAB" actually looks for and I suppose how it is different from mine (other than the WLANID 6 bit obviously)?

I've managed to finally point to the IOT_halls group in the Authorisation policy (see attached) but had a question about the column labelled "Security Groups", what is this used for if I'm already pointing to a group? Is it needed at all?

Many thanks for your help.

Dustin Anderson · ‎08-19-2021

So, the wireless MAB is just the default ISE rule. We use the auth policy rules to do the breakout. I would think where we call AD, you could check your group. You may need to just call MAB in the main policy, not sure if it will only take it as 802.1x otherwise. Probably many ways to try it. For wireless, we have 1 SSID for MAB, but break out based on 4 different groups and by location it's coming from and the vlans are different.

Mottok · ‎08-20-2021

Thank you very much that's been really useful. Especially as I wouldn't have included the correct allowed protocol (MAB) as the tutorial I was looking at was from the older version of ISE and a little confusing when translating over to the newer version. I am ready to test on Monday and will pop a note to say how it goes. Thanks again.