Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
977
Views
10
Helpful
1
Replies

MAB permit after valid 1x Session

Oliver Laue
Level 4
Level 4

‎10-01-2021 03:45 AM

Hi,

 

most of you know a certain behavior. A Windows machine which was authenticated via dot1x sets it's NIC to WOL on shutdown and a MAB session is initiated. But with newer devices Mac addresses are in most cases from the Dock or an USB dongle. This leads to a problem where you can't whitelist the MAC and the switch retries the authentication which leads to a lot of failed auth messages in the ISE.

 

My question is, how to write a rule which checks if the Mac was previously authenticated via 802.1x to set the Client in some kind of deployment vlan or permit him a client vlan with an dACL until it boots and starts a new 1x session.

 

There are a couple of attributes but they can't be used in Auth or AuthZ rules. 

1 Reply 1

Oliver Laue
Level 4
Level 4

‎10-01-2021 04:40 AM

I think I answered my own question.

 

MAR (Machine Access Restriction) should achieve this.

In your Active Directory Identity Source under Advanced the "Enable Machine Access Restriction" must be checked and an aging timer should be set (12h set for test purposes).

Bildschirmfoto 2021-10-01 um 13.34.34.png

 

 

If you have multiple ISE Nodes they should be in a Node group and the option MAR Cache Distribution has to be enabled.

 

Bildschirmfoto 2021-10-01 um 13.36.59.png

 

Now you can create a rule like this. (rule in monitor for test purpose)

Bildschirmfoto 2021-10-01 um 13.39.33.png

 

Customers Also Viewed These Support Documents