Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

double lookup possible in ISE 1.2 ?

I want to do MAB on a certain SSID and authenticate and register devices used in the SSID.

I managed to do that. If not "RegisteredDevice" then redirect to a portal where users can login with AD account and register there devices.

After registration, the device MAC is added to "RegisteredDevices" and the endpoint is profiled.

The ISE database contains an endpoint profile and this profile contains the propertie "BYODRegistration" = yes and "PortalUser" = the AD account xxx@ADdomain.

Now i want to link the state of the AD account to the database. When the user account is locked/expired/disabled, the device should be refused.

I wonder if it is possible to do the following:

MAB authentication occurs -> lookup MAC address in Registered Devices (=OK), lookup "Portal User" of device -> Query AD for this user, get property "UserAccountControl". Based on this property, i can determine if account is still active. If yes -> allow access. If not -> refuse access, even if device is in "RegisteredDevices".

When i troubleshoot however, i notice that -when using MAB- ISE is trying the MAC address as username against AD and gets returned: "Unknown User", of course. Is there a way to use the linked "PortalUser" as username against AD instead of MAC address ?

[NOTE: i am fully aware that the proper way of doing this is through Client Provisioning and Certificates with a second SSID using 802.1x to authenticate certificates, but for now, i want to prevent pushing anything to the clients.......]

3 REPLIES

double lookup possible in ISE 1.2 ?

Hi gnijs.

This functionality is not supported today.

Richard

Bronze

double lookup possible in ISE 1.2 ?

Too bad.

I wish Cisco had implemented a property like this: RegisteredDevices:PortalUser:IdentityAccessRestricted

(i am assuming PortalUser is an AD account here). Maybe a PER can help.....

New Member

Re: double lookup possible in ISE 1.2 ?

Anyone know if this would be possible to do today in ISE 2.2+ ?

395
Views
0
Helpful
3
Replies
CreatePlease login to create content