Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE Web Authentication with Profile


   I'm using Web Authentication with Cisco ISE 1.2.1 without problems.

   The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication

   But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use

   the Web Authentication cause the endpoint is already in the internal endpoint store.

   What's the better way to solve this problem ?

   Thanks in Advanced


   Andre Gustavo Lomonaco




  • AAA Identity and NAC
Cisco Employee

Make sure that the "Identity

Make sure that the "Identity Store" or the "Identity Store Sequence" selected in your authentication is not set to "Internal Endpoints."


Thank you for rating helpful posts!

New Member

     Hi Neno, let me clarify


    Hi Neno, let me clarify my question

    I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers.  I'm using Profile to be able to populate this ISE internet database.

    Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.


Cisco Employee

So a couple of things:1. If

So a couple of things:

1. If you are on ISE v1.2.x then you can create policy sets which will allow you to separate the authentication scenarios

2. If you can't use policy sets and you must use the "Internal Endpoints" in the identity sequence, then you just need to make sure that your "Allowed Protocols" is set to allow "PAP_ASCII - Host Lookup." That way the authentication will pass and the session will be send to the authorization step


Thank you for rating helpful posts!


You should use Endpoint

You should use Endpoint Identity Groups (e. g. IP Phones, Access Points and Printers) in the Authentication and Authorization policy rules instead of just matching a rule if an endpoint is present in the database. The profiled workstations will not get into IPphone or AP group and will not circumvent web auth.

New Member

This widget could not be displayed.