I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers. I'm using Profile to be able to populate this ISE internet database.
Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.
1. If you are on ISE v1.2.x then you can create policy sets which will allow you to separate the authentication scenarios
2. If you can't use policy sets and you must use the "Internal Endpoints" in the identity sequence, then you just need to make sure that your "Allowed Protocols" is set to allow "PAP_ASCII - Host Lookup." That way the authentication will pass and the session will be send to the authorization step
You should use Endpoint Identity Groups (e. g. IP Phones, Access Points and Printers) in the Authentication and Authorization policy rules instead of just matching a rule if an endpoint is present in the database. The profiled workstations will not get into IPphone or AP group and will not circumvent web auth.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...