ISE MAB Configuration

In this article we are going to configure policies in ISE to support endpoints that only support MAB in the next article we will create a configuration that supports endpoints that support 802.1x.

What is MAB? MAB stands for MAC Authentication Bypass, this is a form of network authentication that ISE supports by using the endpoints MAC Address to authenticate against an ISE policy set. MAB is used for devices that don’t have the capability to support 802.1x e.g. certain printers and other legacy devices.

What is 802.1x? It is a protocol that is an IEEE standard and requires endpoints to present a form of authentication to a central source, in my case this is ISE. By utilizing 802.1x we can configure different authentication and authorization policies depending on the type of endpoint.

Configuring a MAB Policy Set

To begin with we will create a MAB policy set that will authenticate my laptop that has the mac address 98-FA-9B-8D-9F-E4.

When creating a MAB policy set it is worth creating a new endpoint group so you can create endpoint specific MAB policies.

To get started go to the Work Centers tab, then Network Access and select Overview.

We now want to create our new Endpoint Group that I will put my laptop into, to do this we need to select the Id Groups tab. Once in there we need to click on the Add button and name our new Endpoint Identity Group

Now that we have created the new Endpoint Identity Group we need to add my Laptop MAC Address into the Endpoint Group Whitelist-My-Devices. On the left hand side of the tab Id Groups select Identities, you will then see the below. We then need to click on the + button to add the MAC Address and attach it to the Endpoint Group.

Now that we have created our Endpoint Identity Group we need to create our Policy Set that will reference the above Identity Group. To access the Policy Set go to the right of the Identities tab and select Policy Set.

We want to create a brand new policy set that will support MAB endpoints, we can do this by clicking the +. This will create a new Policy Set named New Policy Set 1. We want to rename this to MAB Authentication. We then want to select the + to add a condition and drag in Wired_MAB and click Use. The last thing to do is use the Allowed Protocols dropdown and select Default Network Access and then click Save. We can use this MAB authentication policy for different types of endpoints and create separate Authentication and Authorization policies inside.

Now that we have created the initial Policy Set we want to go inside and configure Authentication and Authorization. Do do this click on the >, this will then open up the Policy Set. We now want to create an Authentication Policy called Default MAB Authentication and we want to match on the condition of Wired_MAB and use the Internal Endpoints identity store.

The last thing we need to do in the MAB Authentication Policy Set is add an Authorization Policy called Laptop_Authz. Under Authorization Policy add a new rule and input the name Laptop Authz then add a new condition. We want to match on our Endpoint Group called Whitelist-My-Devices so lets go ahead and create a new condition. In the editor select Click to add an attribute and then select the below highlighted in blue. We want to choose the Dictionary IdentityGroup with the Attribute Name. Now we need to select our Endpoint Identity Groups Whitelist-My-Devices then press Save and then save the new library condition as Whitelist-My-Devices.

We now need to select the Results Authorization Profiles to attach to our rule, in our case we just want to use the default PermitAccess.

The Results Authorization Profiles can do numerous things, for example when an endpoint connects to the network it can push out a specific VLAN, force a Web Authentication Captive Portal, use something called a Dynamic ACL. I will discuss these in much further details in another blog and do some demonstrations of using them.

In your Authorization Policy Set there is also another feature called Security Groups which uses a protocol called Trustsec SGT(Scalable Group Tag) another thing that we will cover in another post.

Now that we have created our Laptop Authz Authorization profile we can save it and start testing, I will cover MAB and 802.1x switch configuration in another post.

As I’m using the Cisco Anyconnect NAM module which is controlling the network adapter on my Laptop I have had to create a default profile called Wired-MAB-Auth as otherwise it will try 802.1x by default and ask for credentials.

Now that I have switched over to my Wired policy from Wireless we can check the authentication sessions on the switch, as you can see below I have successfully authenticated using the Method mab and have a Status of Auth.

We can gather more detail from the authentication session by using the command show authentication session interface fa0/1 detail

We can also view the authentication logs through the Operations tab in ISE and view the RADIUS Live Logs. This shows us the Authentication Policy and Authorization Policy that we created.

Thank you for reading this article I hope it was useful and in the next one we will cover 802.1x configuration using EAP-TLS and MSCHAP-v2.

Leave a Reply

Your email address will not be published.