Cisco TrustSec – ISE (Part 5) - MAB (Mac Authentication Bypass)

Cisco TrustSec – ISE (Part 5)

     MAB (Mac Authentication Bypass)

MAB Authentication Process

8.2.1    basic router configuration

interface GigabitEthernet1

ip address 202.100.2.1 255.255.255.0

!

interface GigabitEthernet0 vrf forwarding Mgmt-intf

ip address 137.78.5.60 255.255.255.0

ip route 0.0.0.0 0.0.0.0 202.100.2.254

；

PS：As authentication open is enabled on the switch  and ACL(ACL-DEFAULT) is used to limit traffic, icmp packets can be adopted.

By default, router can only be matched to MAB authentication, so its mac address is send to ISE for authentication. But the authentication failed due to internal mac address doesn’t have a corresponding data in the database.

8.2.2 Basic MAB authentication for Router

8.2.2.1 router authentication

8.2.2.1.1    create endpoint identity group

Create endpoint group on ise:

8.2.2.1.2    add mac addresses into endpoint group

8.2.2.1.3    Check MAB authentication status

；

PS：You will find even though MAB authentication passed, default authorization policy is not “permit access”, which means nothing takes effect but some basic traffic is allowed on switch ports.

8.2.2.2 MAB Authorization for Router

Click add

Add “permit ip any any” policy for Router MAB authentication

8.2.2.2.2    Add authorization profile

8.2.2.2.3    Create authorization policy

PS：

(1)   policy name(Yellow)

(2) condition(blue)：when a device belongs  to Baiming-MAB-Group and the devices in this group are connected to 2960S.

(3) privilege(red)： DACL(permit ip any any)

8.2.2.2.4    Check authorization status on ISE & Switch

Verify Vlan and DACL

PS：make sure IP address is correct, otherwise cannot make communicate even though DACL and VLAN acquired.

Check acl on the interface