Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

double lookup possible in ISE 1.2 ?

I want to do MAB on a certain SSID and authenticate and register devices used in the SSID.

I managed to do that. If not "RegisteredDevice" then redirect to a portal where users can login with AD account and register there devices.

After registration, the device MAC is added to "RegisteredDevices" and the endpoint is profiled.

The ISE database contains an endpoint profile and this profile contains the propertie "BYODRegistration" = yes and "PortalUser" = the AD account xxx@ADdomain.

Now i want to link the state of the AD account to the database. When the user account is locked/expired/disabled, the device should be refused.

I wonder if it is possible to do the following:

MAB authentication occurs -> lookup MAC address in Registered Devices (=OK), lookup "Portal User" of device -> Query AD for this user, get property "UserAccountControl". Based on this property, i can determine if account is still active. If yes -> allow access. If not -> refuse access, even if device is in "RegisteredDevices".

When i troubleshoot however, i notice that -when using MAB- ISE is trying the MAC address as username against AD and gets returned: "Unknown User", of course. Is there a way to use the linked "PortalUser" as username against AD instead of MAC address ?

[NOTE: i am fully aware that the proper way of doing this is through Client Provisioning and Certificates with a second SSID using 802.1x to authenticate certificates, but for now, i want to prevent pushing anything to the clients.......]


double lookup possible in ISE 1.2 ?

Hi gnijs.

This functionality is not supported today.



double lookup possible in ISE 1.2 ?

Too bad.

I wish Cisco had implemented a property like this: RegisteredDevices:PortalUser:IdentityAccessRestricted

(i am assuming PortalUser is an AD account here). Maybe a PER can help.....

Community Member

Re: double lookup possible in ISE 1.2 ?

Anyone know if this would be possible to do today in ISE 2.2+ ?

CreatePlease to create content