double lookup possible in ISE 1.2 ?

Unanswered Question
Oct 11th, 2013
User Badges:
  • Bronze, 100 points or more

I want to do MAB on a certain SSID and authenticate and register devices used in the SSID.

I managed to do that. If not "RegisteredDevice" then redirect to a portal where users can login with AD account and register there devices.

After registration, the device MAC is added to "RegisteredDevices" and the endpoint is profiled.

The ISE database contains an endpoint profile and this profile contains the propertie "BYODRegistration" = yes and "PortalUser" = the AD account [email protected].

Now i want to link the state of the AD account to the database. When the user account is locked/expired/disabled, the device should be refused.

I wonder if it is possible to do the following:

MAB authentication occurs -> lookup MAC address in Registered Devices (=OK), lookup "Portal User" of device -> Query AD for this user, get property "UserAccountControl". Based on this property, i can determine if account is still active. If yes -> allow access. If not -> refuse access, even if device is in "RegisteredDevices".

When i troubleshoot however, i notice that -when using MAB- ISE is trying the MAC address as username against AD and gets returned: "Unknown User", of course. Is there a way to use the linked "PortalUser" as username against AD instead of MAC address ?

[NOTE: i am fully aware that the proper way of doing this is through Client Provisioning and Certificates with a second SSID using 802.1x to authenticate certificates, but for now, i want to prevent pushing anything to the clients.......]

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Atkin Fri, 10/11/2013 - 09:38
User Badges:
  • Silver, 250 points or more

Hi gnijs.

This functionality is not supported today.


gnijs Sat, 10/12/2013 - 12:13
User Badges:
  • Bronze, 100 points or more

Too bad.

I wish Cisco had implemented a property like this: RegisteredDevices:PortalUser:IdentityAccessRestricted

(i am assuming PortalUser is an AD account here). Maybe a PER can help.....


This Discussion