- Bronze, 100 points or more
I want to do MAB on a certain SSID and authenticate and register devices used in the SSID.
I managed to do that. If not "RegisteredDevice" then redirect to a portal where users can login with AD account and register there devices.
After registration, the device MAC is added to "RegisteredDevices" and the endpoint is profiled.
The ISE database contains an endpoint profile and this profile contains the propertie "BYODRegistration" = yes and "PortalUser" = the AD account [email protected].
Now i want to link the state of the AD account to the database. When the user account is locked/expired/disabled, the device should be refused.
I wonder if it is possible to do the following:
MAB authentication occurs -> lookup MAC address in Registered Devices (=OK), lookup "Portal User" of device -> Query AD for this user, get property "UserAccountControl". Based on this property, i can determine if account is still active. If yes -> allow access. If not -> refuse access, even if device is in "RegisteredDevices".
When i troubleshoot however, i notice that -when using MAB- ISE is trying the MAC address as username against AD and gets returned: "Unknown User", of course. Is there a way to use the linked "PortalUser" as username against AD instead of MAC address ?
[NOTE: i am fully aware that the proper way of doing this is through Client Provisioning and Certificates with a second SSID using 802.1x to authenticate certificates, but for now, i want to prevent pushing anything to the clients.......]