Tuesday, 21 April 2015

Cisco TrustSec – ISE (Part 5) - MAB (Mac Authentication Bypass)

Cisco TrustSec – ISE (Part 5)

     MAB (Mac Authentication Bypass)


MAB Authentication Process



8.2.1    basic router configuration


interface GigabitEthernet1
ip address 202.100.2.1 255.255.255.0
!
interface GigabitEthernet0 vrf forwarding Mgmt-intf
ip address 137.78.5.60 255.255.255.0
ip route 0.0.0.0 0.0.0.0 202.100.2.254

PS:As authentication open is enabled on the switch  and ACL(ACL-DEFAULT) is used to limit traffic, icmp packets can be adopted.


By default, router can only be matched to MAB authentication, so its mac address is send to ISE for authentication. But the authentication failed due to internal mac address doesn’t have a corresponding data in the database.

8.2.2 Basic MAB authentication for Router


8.2.2.1 router authentication

8.2.2.1.1    create endpoint identity group

Create endpoint group on ise:


8.2.2.1.2    add mac addresses into endpoint group




8.2.2.1.3    Check MAB authentication status



PS:You will find even though MAB authentication passed, default authorization policy is not “permit access”, which means nothing takes effect but some basic traffic is allowed on switch ports.

8.2.2.2 MAB Authorization for Router





Click add
Add “permit ip any any” policy for Router MAB authentication

8.2.2.2.2    Add authorization profile




8.2.2.2.3    Create authorization policy



PS
(1)   policy name(Yellow)
(2) condition(blue):when a device belongs  to Baiming-MAB-Group and the devices in this group are connected to 2960S.

(3) privilege(red): DACL(permit ip any any)


8.2.2.2.4    Check authorization status on ISE & Switch




Verify Vlan and DACL
PS:make sure IP address is correct, otherwise cannot make communicate even though DACL and VLAN acquired.


Check acl on the interface


No comments:

Post a Comment