ISE wired onboarding

Similar Messages

• ISE Wired guest portal redirect even after authentication

  Hi
  I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
  I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
  Here is what I see on the interface
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  a0b3.ccca.2ab1
             IP Address:  10.1.3.16
              User-Name:  A0-B3-CC-CA-2A-B1
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F000001571E52779F
        Acct Session ID:  0x00000309
                 Handle:  0xE6000158
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  Here is the ACL
  Extended IP access list ACL-WEBAUTH-REDIRECT
      10 deny udp any any eq domain (1344 matches)
      20 deny ip any host 172.20.5.12 (8122 matches)
      30 deny ip any host 172.20.5.14
      40 permit tcp any any eq www (3124 matches)
      50 permit tcp any any eq 443 (202927 matches)
      60 permit tcp any any eq 8080 (114 matches)
      70 permit ip any any (8056 matches)

  Hi Mohannad,
  Thanks for your response.
  Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
  We need to find out why the next Auth policy is not hitting once user is authenticated.
  Here is the port configuration and the authen status of the port.
  ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
  Building configuration...
  Current configuration : 427 bytes
  interface GigabitEthernet4/0/19
  switchport access vlan 103
  switchport mode access
  switchport voice vlan 135
  authentication event fail action next-method
  authentication host-mode multi-auth
  authentication order dot1x mab
  authentication priority dot1x mab webauth
  authentication port-control auto
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end
  ABQT-3FLR-ACC-01#
  Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
  ABQT-3FLR-ACC-01#
  ABQT-3FLR-ACC-01#sh atuh
  ABQT-3FLR-ACC-01#sh atu
  ABQT-3FLR-ACC-01#sh authe
  ABQT-3FLR-ACC-01#sh authentication se
  ABQT-3FLR-ACC-01#sh authentication sessions in
  ABQT-3FLR-ACC-01#sh authentication sessions interface gi
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  0015.c5b4.fd4a
             IP Address:  10.1.3.23
              User-Name:  00-15-C5-B4-FD-4A
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F0000018A32B4D906
        Acct Session ID:  0x00000394
                 Handle:  0x3E00018B
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success

• ISE Wired Central Web Authentication no url redirect

  We are setting up ISE for wired guest accest but are having trouble with the client being redirected.  The switch gets the download from ISE and shows that it should use the URL redirect with the correct ACL.
  ISEtest3560#show authentication sessions interface fastEthernet 0/2
              Interface:  FastEthernet0/2
            MAC Address:  001d.09cb.78bd
             IP Address:  Unknown
              User-Name:  00-1D-09-CB-78-BD
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
                ACS ACL:  xACSACLx-IP-ISE-Only-52434fbe
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://REMOVED.Domain.corp:8443/guestportal/gateway?sessionId=0A0003E600000039064485B1&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A0003E600000039064485B1
        Acct Session ID:  0x00000293
                 Handle:  0x95000039
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  From the client pc I can get name resolution for anything I ping.  I also can ping the ise server by name.  The ACL that is downloaded it as follows:
  Extended IP access list xACSACLx-IP-ISE-Only-52434fbe (per-user)
      10 permit udp any eq bootpc any eq bootps
      20 permit udp any any eq domain
      30 permit ip any host 10.4.37.91
      40 deny ip any any log
  Extended IP access list ACL-WEBAUTH-REDIRECT
      10 deny udp any eq bootpc any eq bootps
      20 deny udp any any eq domain
      30 deny ip any host 10.4.37.91
      40 permit tcp any any eq www (13 matches)
      50 permit tcp any any eq 443
      51 permit tcp any any eq 8443
      60 deny ip any any
  The machine passes the Authentication with MAB and hits the CWA Authorization profile, ISE shows the cient as "Pending" then the next entry above that is the log is the dACL getting pushed to the switch.  Could part of the issue be that the device shows Unknown for IP address?  The command ip device tracking is in the swtich:
  ISEtest3560#show running-config | include tracking
  ip device tracking
  ISEtest3560#
  We have 802.1x clients working and the IP address for those do show up..
  Please advise,
  Thanks,
  Joe

  ISEtest3560#show ip access-lists interface fastEthernet 0/2       
  ISEtest3560#
  Doesn't appear the dacl is being applied. 
  interface FastEthernet0/2
  switchport access vlan 11
  switchport mode access
  ip access-group ACL-DEFAULT in
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 999
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order dot1x mab webauth
  authentication priority dot1x mab webauth
  authentication port-control auto
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  spanning-tree guard root
  Extended IP access list ACL-DEFAULT
      10 permit udp any eq bootpc any eq bootps
      20 permit udp any any eq domain
      30 permit icmp any any
      40 permit udp any any eq tftp
      41 permit ip any host 10.4.37.91
      50 deny ip any any log (1059 matches)
  Could the dACL being causing the issue with the Unknown, or is the Unknow causing the issue with the dACL?
  Thanks,
  Joe

• ISE Wired DOT1X authorization fails

  I'm configuring wired dot1x, and it won't work. My end goal is to use machine/user authentication for this wired profile, but for now, because of issues I'm just attempting wired user authentication. Below is what I have
  -authorization profile to allow a user based on the default (wired dot1x) and AD memberOF to get the person into the network
  -the network card on the computer is setup to use "user authetication" inside of the NIC authentication tab....this is PEAP by the way.
  Here is what I am seeing. I do a reboot of the machine, and the login for Windows comes up and I login. Once in Windows I look at the NIC and it says Authentication failed. ISE says that it PASSED and used my authorization profile to pass it and says that it sent my dacl. Doing a show authentication session int gi8/36 says "status authz FAILED".
  I get the same thing if I use both machine and user. Machine boot->login->ISE says there was a successful authentication for the machine and sends a dacl->sh auth sess int gi8/36 says status authz failed on the switch, and the NIC shuts due to failed authentication which after that it's obviously not going to pass the user side of my policy. This is driving my nuts. If anyone could help it would be greatly appreciated. Below is config info. Thanks
  Windows machines are Win7/64
  switch is 6509e with 12.2(33)SXI 11 running on it.
  Interface:  GigabitEthernet8/36
            MAC Address:  10ee.f10c.4820
             IP Address:  Unknown
              User-Name:  jcarrabine
                 Status:  Authz Failed
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A800C010000018CF35CA5D8
        Acct Session ID:  0x0000077B
                 Handle:  0x0000018C
  Runnable methods list:
         Method   State
         dot1x    Authc Success
         mab      Not run
  Dot1x Info for GigabitEthernet8/36
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = Both
  HostMode                  = MULTI_AUTH
  QuietPeriod               = 60
  ServerTimeout             = 0
  SuppTimeout               = 30
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 10
  interface GigabitEthernet8/36
  description TEST PORT
  switchport
  switchport access vlan 52
  switchport mode access
  switchport voice vlan 143
  authentication event fail action next-method
  authentication host-mode multi-auth
  authentication open
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication timer inactivity 10
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast edge
  spanning-tree bpduguard enable
  end
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  ip radius source-interface Loopback0
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server host 10.128.12.41 auth-port 1812 acct-port 1813 key 7 061106324961273C464640
  radius-server host 10.126.12.41 auth-port 1812 acct-port 1813 key 7 120E0C0417242221697A76
  radius-server vsa send accounting
  radius-server vsa send authentication

  I fixed this issue So to the trained eye this should be obvious. The authz ultimatly failed not because of my authorization policies, but because I have no default permit ip any any ACL on the port. This is a requirement for the IOS I'm running. The dACL's can not be applied to the switchport without it, and thus will throw the port into an authz fail without it.

• ISE Wired 802.1x with Foundry access switch ,not show "Device Port"

  Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
  They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
  We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by  foundry switch,but it sends "nas-port".
  Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
  Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
  Thanks.

  Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
  They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
  We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by  foundry switch,but it sends "nas-port".
  Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
  Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
  Thanks.

• ISE Wired Guest + user without supplicant and dynamic vlan change

  Hi All,
  I have two issues:
  Is it still an issue when a wired user who is directed to the ISE CWA, is able to stay authenticated as a guest for as long as they stay connected?
  This is happening on our test pilot - a guest with 2 hour access on a wired connection can maintain the guest access for as long as they desire.
  I hear that this isnt an issue for wireless, but yet to try this out. Is there a workaround for this?
  Secondly my testing confirms that only users with a supplicant eg anyconnect NAM can be dynamically changed into a vlan (only tested on wired).
  What I'd hope to do, is create a policy that when wired guest connect in, to dynamically change their vlan to the guest vlan (same one guest WLAN users will use).
  Is this possible if the guest doesnt have a supplicant?

  One of my tasks was to rebuild the multiportal config, and looks like there was an option there to do a VLAN dhcp release and renew. I wont know if this will work until next week but it sounds promising. It was tucked down on the screen so I had to scroll down to find it...
  Still dont have an answer about the guest able being able stay authenticated, or does this feature solve this issue as well? Only time will tell..

• ISE Wired captive portal

  I've a new ISE Integration, I've implemented captive portal for wireless and wired guests, for Wireless all is working perfect
  For Wired I can see that ISE put the url captive on the interface of the switch but from the laptop of windows machine, I'm unable to see the link on browser, please advice

  In the same document you have
  Wired NAD Interaction for Central WebAuth
  If your client's machine is hard wired to a NAD, the guest service interaction takes the form of a failed MAB request that leads to a guest portal Central WebAuth login.
  The Central WebAuth triggered by a MAB failure flow follows these steps:
  1. The client connects to the NAD through a hard-wired connection. There is no 802.1X supplicant on the client.
  2. An authentication policy with a service type for MAB allows a MAB failure to continue and return a restricted network profile containing a URL-redirect for Central WebAuth user interface.
  3. The NAD is configured to post MAB requests to the Cisco ISE RADIUS server.
  4. The client machine connects and the NAD initiates a MAB request.
  5. The Cisco ISE server processes the MAB request and does not find an end point for the client machine. This MAB failure resolves to the restricted network profile and returns the URL-redirect value in the profile to the NAD in an access-accept. To support this function, ensure that an Authorization Policy exists featuring the appropriate "NetworkAccess:UseCase=Hostlookup" and "Session:Posture Status=Unknown" conditions.
  The NAD uses this value to redirect all client HTTP/HTTPS traffic on ports 8080 or 8443 to the URL-redirect value. The standard URL value in this case is:
  https://ip:port/guestportal/gateway?sessionId=NetworkSessionId&action=cwa.
  6. The client initiates an HTTP or HTTPS request to any URL using the client browser.
  7. The NAD redirects the request to the URL-redirect value returned from the initial access-accept.
  8. The gateway URL value with action CWA redirects to the guest portal login page.
  9. The client enters the username and password and submits the login form.
  10. The guest action server authenticates the user credentials provided.
  11. If the credentials are valid, the username and password are stored in the local session cache by the guest action server.
  12. If the guest portal is configured to perform Client Provisioning, the guest action redirects the client browser to the Client Provisioning URL. (You can also optionally configure the Client Provisioning Resource Policy to feature a "NetworkAccess:UseCase=GuestFlow" condition.)
  Since there is no Client Provisioning or Posture Agent for Linux, guest portal redirects to Client Provisioning, which in turn redirects back to a guest authentication servlet to perform optional IP release/renew and then CoA.
  13. If the guest portal is not configured to perform Client Provisioning, the guest action server sends a CoA to the NAD through an API call. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access. If Client Provisioning is not configured and the VLAN is in use, the guest portal performs VLAN IP renew.
  14. With redirection to the Client Provisioning URL, the Client Provisioning subsystem downloads a non-persistent web-agent to the client machine and perform posture check of the client machine. (You can optionally configure the Posture Policy with a "NetworkAccess:UseCase=GuestFlow" condition.)
  15. If the client machine is non-complaint, ensure you have configured an Authorization Policy that features "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=NonCompliant" conditions.
  16. Once the client machine is compliant, ensure you have an Authorization policy configured with conditions "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=Compliant" conditions), From here, the Client Provisioning issues a CoA to the NAD. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access.

• Cisco ISE Wired authentication

  Hi Dears,
  I want to configurate the wired user authenticate from ISE server.
  I need a configuartion documentation for configurate ISE and switch.
  thanks.

  check
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.html
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html

• ISE BYOD Onboarding

  Hi,
  I have a Lab setup with ISE 1.3, WLC 5508 7.6.130.0. I have setup the ISE using Setup Assistant as a base point and have managed to get a couple of things working, such as the Guest Portal with Self Registration, standard Wireless dot1x authentication and authorizations for notebooks using AD. I have also setup a separate Wifi network for Mobile devices using AD authentication.
  All 3 scenarios work with a bit of fine tuning and with the following configurations.
  Separate Guest-Wifi - Self registration - Works
  Separate Corporate Wifi - AD Authentication - profiling and posture check - Works
  Separate BYOD Wifi - AD Authentication - Works.
  The problem I have is that when I enable device registration on the BYOD Wi-Fi, I get intermittent issues as follows:
  1 Ipad connects and registers without failure, iOS 8.1.1.
  other Ipad with same iOS, connects but cannot register, gets BYOD Portal page, but after accepting AUP gives error about unsupported browser.
  Iphone 5s, iOS 8.1.1 connects and registers intermittently, and when it fails, it gets BYOD Portal page, but after accepting AUP gives error about unsupported browser.
  Iphone 4s, iOS 8.1.1 connects but cannot register,  gets BYOD Portal page, but after accepting AUP gives error about unsupported browser.
  Can someone please advise why this is happening as I cannot see how its configuration error. I have checked the supported OS and Browsers for the portal and although the highest supported iOS is 8.0, why does the 1 Ipad work everytime and the Iphone 5s intermittently.
  thanks.
  Julian.

  Supported IOS versions in ise 1.3 :http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/compatibility/ise_sdt.html#49426
  Client Machine Operating System
  Web Browser
  Supplicants (802.1X)
  Apple iOS 8.0
  Safari
  Apple iOS Supplicant 8.0
  Apple iOS 7.x11
  Safari
  Apple iOS Supplicant 7.x
  Apple iOS 6.x
  Safari
  Apple iOS Supplicant 6.x
  Apple iOS 5.1
  Safari
  Apple iOS Supplicant 5.1
  Apple iOS 5.0.1
  Safari
  Apple iOS Supplicant 5.0.1

• ISE wired TLS with group mapping

  Hi. We authenticate wired clients using EAP-TLS with Computer Certificates. This works fine so far. Now we need an authorization with LDAP and set the VLAN based on the AD Group of the Computer. Is there a way to use the CN of the Certificate and retrieve the Attributes of the Client over LDAP?
  Does anybody know how this could be done?
  Regards,
  Urs

  You should be able to do this, as long as the cn name is in the corrext format which for computer certificates it ahould be fine. Setup the ldap external store, find the grouo and map that to your authz policy.
  Sent from Cisco Technical Support Android App

• Wired Guest Using ISE Interface

  Ive scoured the forums for a solution but struck out looking for design tips. I have a centralized guest wireless using ISE with CWA on an anchor controller and it works great. Now I need to create wired guest network for my remote sites. Is this possible using an interface on my 3415 running ISE, or can the anchor controller be used some how?
  The 3415 sits in my Pennsylvania data center. It has a new dedicated interface going to the internet for guest traffic. Can this interface be used as a redirect for a guest at a remote site? If so, is there documentation detailing the basic steps to implement this?
  Thanks in advance!

  If you are already authenticating your wireless users and anchoring them to a DMZ you can do the same with wired users as long as you have a foreign controller layer 2 adjacent to the wired guests.  
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/99470-config-wiredguest-00.html
  You would just need to set the VLAN on the port for the guest users, or if you want you can use ISE wired AuthZ policy to place the guest users into the correct VLAN, or FlexAuth using guest VLANs.  

• Cisco ISE NAD compatibility

  Hello all,
  Are the Small Business 500 series Switches (ESW520) and Linksys Switches supported by the Cisco Identity Services Engine 1.2.. I didn't see them in the compatibility Matrix ! Is there any way to make them working for ISE wired CWA?
  Best Regards.

  Thank you Venkatesh for the reply,
  It's unfortunate to know that ESW500 series doesn't support CWA (because we are deploying ISE and there are many ESW and Linksys Switches here),So Can they support LWA or 802.1X with ISE?
  The same questions for Linksys Switches, Can they support CWA, LWA or 802.1X Authentications using ISE?
  Thank you so much.

• ISE wireless CPP with redirect exclusions, possible?

  Hi all, a little bit of a tricky situation here. I've got a wireless network and ISE 1.1.1. The wireless is mixed 7.0 and 7.3 code.
  On an ISE wired installation it's easy to have an authorization rule that URL redirects users to the client provisioning portal *BUT* to have a redirect ACL on the switch with deny statements that excludes specific websites from the redirection. This is done so users can click on remediation links from the NAC Agent and get to websites to download anti-virus, sig updates, windows updates, etc... but all other web attempts get redirected to the CPP.
  All fine and it works perfectly on the wired network. HOWEVER, I can't seem to find a similar way to do this on the wireless network. While you can create a posture redirection policy to send them to the CPP with an ACL, that ACL seems to only permit or deny traffic per a standard ACL. Meaning a user gets on but any attempt to go anywhere in a browser redirects to the CPP. This makes it impossible to get to the remediation pages.
  Is there any way to accomplish what I'm trying to do here? It seems like it should be a basic function.

  Sorry I had some personal issues to deal with and just got a chance to follow up on this. Firs of all, good job on figuring it out and posting the findings back here! (+5) from me for that!
  To answer your questions:
  #1. You are 100% about the logic on the WLC ACLs vs Switch ACLs. On switches "deny" means "don't redirect" the traffic, thus permit it on the network. On the WLCs "deny" means "redirect" the traffic, hence don't allow it on the network. I am not sure why Cisco did this but different BUs, different teams, etc
  #2. You are also correct on this one. Your vWLC and ISE are working as expected. While switches support dACLs, WLCs only support "named ACL." As a result, when referencing ACLs on ISE for wireless, that ACL has to exist on the WLC and it MUST BE NAMED THE SAME or it won't work.
  Hope this helps. If you issues are resolved please mark the thread as "answered"
  Thank you for rating!

• ISE MAB Host Lookup - PAP or EAP-MD5

  In the docs, it says that MAB uses PAP/ASCII or EAP-MD5 to pass the MAC as username / password.
  In the attached setup, MAB is talking place successfully for an iPhone, without having PAP or EAP-MD5 enabled as Allowed Protocols. 
  Is the "Host Lookup" under allowed protocols, provides for the MAC address to be passed in PAP / EAP-MD5 even if these two protocols are not enabled below under the Authentication Protocols section of the configuration?
  How could we dictate to our switch to start using EAP-MD5 to pass the MAC?  If you look at the attached authentication details output, it lists in the AV Pair a EAP-Key.  Is that it?
  Thank you.
  Cath.

  Hello Cath-
  Question #1: Yes, I think you are correct. I believe that the "Host Lookup" is type of "protocol" used to process the MAB. If you look at the top of the authenticaiton session what do you under "Authentication Protocol?" My guess is that you see "Lookup" (see attached screen shot)
  Question #2: You can force the switch to use EAP-MD5 by appending "EAP" to the "MAB" command under the individual ports:
       interface fa0/1
       mab eap
  Things to conisider:
       1) If you make that change the default/built-in condition in ISE "Wired-MAB" will have to be changed since the
  service-type radius attribute will change from "Call Check" to "Framed." Thus, your MAB devices can easily skip the MAB authenticaiton rule and be denied on the network
       2) Because the MAC address is sent in the clear text  "Attribute 31" (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password
       3) Because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server will not be able to easily differentiate MAB EAP requests from IEEE 802.1X requests
  Here is a good document that you can reference as well:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html
  Hope this helps...
  Thank you for rating!

• ISE wireless design

  Hi all,
  Designing on an ISE wireless case, i would like seek idea about:
  1. My design goal is differentiate domain user are only capable to connect to Employee_AP; while guest connect to Guest_AP. What rule's condition should i do ?
  2. What is the best practice for BYOD's policies to permit each employee access are only able to use 2 units of personal devices. Says one notebook and one handheld device. Anyway i can enforce this rule on ISE?
  Million thanks
  Noel

  If you are already authenticating your wireless users and anchoring them to a DMZ you can do the same with wired users as long as you have a foreign controller layer 2 adjacent to the wired guests.  
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/99470-config-wiredguest-00.html
  You would just need to set the VLAN on the port for the guest users, or if you want you can use ISE wired AuthZ policy to place the guest users into the correct VLAN, or FlexAuth using guest VLANs.