View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0040 - ISE 1.1 Profiling, Probing, and MAC Authentication Bypass (Part 1)

Rating: 
4.333335
Average: 4.3 (3 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>

The video introduces you to the concept of device profiling and MAC Authentication Bypass (MAB) on Cisco ISE. We will start by going through different type of probing, how devices get profiled with Profiling policies, and how to create an Endpoint Identity Group for the profiled devices to be used in authorization policies. Static MAC address and Identity Group will be configured for devices that cannot be profiled. Cisco IP Phone and Access Point will be used in our demonstration.

Part 1 of the video covers device probing, profiling and, static MAC address.
Topic:
  • Profiling
  • Probing
  • MAC Authentication Bypass (Wired)
  • Endpoint Identity Group
  • Downloadable ACL
  • Authorization Profile

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

11 comments

i have a question,
your a DHCP server in switch(172.168.32.1) but your a vlan 64 enter the command ip helper-address is 172.168.32.102. If i have dhcp server(Windows Server 08 R2) my configuration is ip helper-address(DHCP Server) or ISE Server ?"

The answer is both. 'ip helper' pointing to ISE is only to give ISE more information for profiling. ISE does not give out any IP. You still need to use 'ip helper' to point to your DHCP server for user to get IP.

How often does NMAP run against a device?
Does it scan the device when its initially profiled, such as its profiled as a Microsoft-Workstation. It will then scan the device and identify its OS. Once the OS is identified and I have a policy that says for example: if NMAP (operating-system = Windows7) then EndpointProfile = Windows7-Workstation

Will it scan the device everytime it authenticates to the network to verify its still a Windows 7 device or once its granularly profiled it doesnt?

NMAP can be triggered either by an action specified under profiling policy or manually from a PSN. Some of the generic device profile like HP-Device has NMAP action defined to gather device info further and this only happen when there is a profile match usually when the device first seen by the system. Once the device matches a more specific profile, NMAP no longer runs for that device.

I think when we use MAB, we must define a list MAC address can gain access to network on ISE. Any MAC address out of list will not recieve ip from DHCP-Server and can't access network either. Is it right ?? Cause when i use default authentication condition WIRED_MAB and default authorization condition WIRED_MAB in ISE, any pc can recieve ip from dhcp and access to network. I want only pc those have MAC address in my list can recieve IP from DHCP-Server. Any Mac address out of list will be deny. Can i use ISE to do that ???

It sounds like you already got MAB working. To limit network access by MAC address, create an Endpoint identity group, add the MAC address you want access to the group, and add group to the authorization rule condition. That way, any MAC address not in the Group will not match the rule and hit your default rule which should have set to Deny.

Thanks so much. I have configure MAB success on ISE but i still have a problem with it. I have a computer using window7. When i go to interface properties > Authentication Tab. I must check the Enable IEEE 802.1x authentication box to enable MAB. If i don't check MAB not working and any computer can gain access to network with out security checking. It's not secure for my network. Can i force client enable MAB to gain access to my network. And one more thing is if i check Enable IEEE 802.1x authentication box, i must provides a valid dot1x user. If not, MAB success but dot1x fail and computer with valid mac address still can't get access.

First of all, do not get 802.1X mixed up with MAB. If you intend to only authroize endpoint by their MAC address, there is no need for you to enable 802.1X on the endpoint, which is the whole point of using MAB. With MAB, the decision is made by ISE purely based on whether the MAC address is allowed by your authorization policy. 

Hi, i get authentican fail because Authentication method is not supported by any applicable identity store(s), but i using dot1x authentication. On client PC, i enable 802.1x with EAP-MSCHAPv2. Even when i go to Policy > Policy Elements > Result > Authentication > Allow Protocols > Default Network Access and tick all the authentication method. I still get authentication fail with that log. Please show me where i'm wrong ???

You might want to look at the radius log detail and make sure the authentication matches your Default Network Access for Allowed Protocol, and the protocol is PEAP. Also, what are you authentication against? AD?

I have solve my problem. Ijust want to say thank to all member of Labminutes. You are so awesome and very kind. I wish you all the best of luck.
Best Regards