Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

MAB and Active directory check


I have ISE 1.2

I would like to know if it is possible to configure AD check for MAB user

I have some user that are authenticated by MAB

But I need to add another check for those user, ISE should check the Active directory group user widows session


Is it possible to do it ?

How can I configure it for wired and wireless user ?



Thanks in advance

Cisco Employee

Yes, you can definitely do

Yes, you can definitely do this. I have done this in my previous deployments for "Whitelisting" users. My policy was like this:

1. I created an Identity Group called "Whitelist"

2. Statically added all of the needed mac address to that group

3. For wireless, I created a dedicated "Policy Set" for that SSID. In the policy set I created a rule that:

- Checked for domain group membership (For instance, domain users or domain computers)

- Checked if the "Internal Identity Store" was "Whitelist"

4. For wired, I also have a dedicated "Policy Set" and you can basically duplicate the rule from wireless. 

I hope this helps!


Thank you for rating helpful posts!

Thank you for rating helpful posts!
New Member



I realize this is an old post, but this aligns with exactly what we are trying to do in the short-term with ISE. MAB corporate laptops at the device level, then authenticate the logged on user via AD credentials when they transition from wired to wireless. Note, there is no wired 802.1X for now (future plans). We have greenfield wireless and a bunch of new laptops to roll out and I want to dip the toe into ISE rather than an SSID with PSK and MAC filtering sort of thing, then we can tweak from there as we get PKI implemented.

So, your steps make sense logically, but I'm actually having a tough time getting it to work as desired. To start with, should the wireless SSID be open or secured? If secured, how so? MAB explicitly on the WLC?

I have an endpoint identity group with laptop wireless MAC addresses and I can get that to work with typical MAB config, and I have user auth to AD working in a lab setting with a PSK-secured SSID... I just can't get MAB and AD Auth policy set steps working together, so I'm hoping you can shed some light with a bit more detail to get me over the last hurdle.

Note, this is on ISE 2.1, in case that matters. WLC is a 3850 switch or I could use a virtual WLC for setup and testing if needed. Access points are 3702i/e.



Cisco Employee

Hi Randy. Apologies for the

Hi Randy. Apologies for the delayed reply here but I have out for Cisco live and then some other business related travel. My answers below:

1) The SSID should be configured with WPA2+AES+802.1x. No Layer 3 security policy and no mac filtering. You need to have the SSID pointed to ISE for the AAA servers

2) The Authentication step will be based on AD group membership. While the Authorization step can be configured to check and ensure that the device's mac address is also located in the ISE local database as well as that it is part of a specific AD group

Give that a try and let me know how it goes. 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
CreatePlease to create content