I realize this is an old post, but this aligns with exactly what we are trying to do in the short-term with ISE. MAB corporate laptops at the device level, then authenticate the logged on user via AD credentials when they transition from wired to wireless. Note, there is no wired 802.1X for now (future plans). We have greenfield wireless and a bunch of new laptops to roll out and I want to dip the toe into ISE rather than an SSID with PSK and MAC filtering sort of thing, then we can tweak from there as we get PKI implemented.
So, your steps make sense logically, but I'm actually having a tough time getting it to work as desired. To start with, should the wireless SSID be open or secured? If secured, how so? MAB explicitly on the WLC?
I have an endpoint identity group with laptop wireless MAC addresses and I can get that to work with typical MAB config, and I have user auth to AD working in a lab setting with a PSK-secured SSID... I just can't get MAB and AD Auth policy set steps working together, so I'm hoping you can shed some light with a bit more detail to get me over the last hurdle.
Note, this is on ISE 2.1, in case that matters. WLC is a 3850 switch or I could use a virtual WLC for setup and testing if needed. Access points are 3702i/e.
Hi Randy. Apologies for the delayed reply here but I have out for Cisco live and then some other business related travel. My answers below:
1) The SSID should be configured with WPA2+AES+802.1x. No Layer 3 security policy and no mac filtering. You need to have the SSID pointed to ISE for the AAA servers
2) The Authentication step will be based on AD group membership. While the Authorization step can be configured to check and ensure that the device's mac address is also located in the ISE local database as well as that it is part of a specific AD group
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :