Solved: Cisco ISE 2.2 IP phones MAB authentication

arane0001 · ‎02-03-2021

I am trying to get the IP phones authenticated using MAB without using the Cisco Plus license.

We have around 55000 base licenses and just 1000 Plus license.

We do have a lot of phones and computers in my network.

in order to save Plus license, you basically do is create a Administered Endpoint Profile to meet your endpoint either dynamic or static and then create a rule Authorization Rule that allows the endpoint to successfully authenticate.

I was able to successfully able to make this work for computer , but I fail to do this with IP phone.

Has anybody done this where they were able to avoid the Plus license when authenticating an IP phone ?

I can explain more if somebody didnt get my question.

ahollifield · ‎02-03-2021

That is correct, the endpoint identity group is not profiling, it’s just a logical group of endpoints. The computers are not using MAB/Profiling to authenticate, they are using 802.1X.
The options are as follows:

Buy plus license equal to the number of phones in the environment and use profiling
Configure 802.1X authentication on the phones
Configure static endpoint groups containing each phone’s MAC address (or use OID in authz policy) and use vanilla MAB with no Profiling (not secure, MAC spoofing, and a management nightmare).

View solution in original post

ahollifield · ‎02-03-2021

Can you elaborate on "Administered Endpoint Profile"? Are the computers using MAB or are they using EAP/802.1X? Bottom line is if you are using Profiling, you need a Plus/Advantage license equal to the number of endpoints using Profiling in the authorization policies.

Also FYI that ISE 2.2 is scheduled for end of maintenance in June so it might be time to start thinking about an upgrade: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-743180.html

arane0001 · ‎02-03-2021

Administered Endpoint profiles are the ones that I create manually ... so basically I created endpoint profile that identifies its my companies computer by adding an attribute and then I added auth rule saying if it belongs to a particular AD group or an AD user permit access.

Here is the problem where I cant do it for the IP phones

ahollifield · ‎02-03-2021

Are the computers using MAB or are they using EAP/802.1X? How are you getting the computer name or username into ISE? It doesn't sound like that is using a Profiling flow to me.

If you are doing "If endpoint profile = Cisco IP Phone" that is profiling and you need the necessary Plus licenses.

arane0001 · ‎02-03-2021

Yes you are right , the computers are set to 802.1x . So you are saying I would need the Plus license anyhow even if the endpoint profile is cisco provided or administrator provided. ....unless I use the 802.1X on the phones as well ?

ahollifield · ‎02-03-2021

That is correct, the endpoint identity group is not profiling, it’s just a logical group of endpoints. The computers are not using MAB/Profiling to authenticate, they are using 802.1X.
The options are as follows:

Buy plus license equal to the number of phones in the environment and use profiling
Configure 802.1X authentication on the phones
Configure static endpoint groups containing each phone’s MAC address (or use OID in authz policy) and use vanilla MAB with no Profiling (not secure, MAC spoofing, and a management nightmare).

arane0001 · ‎02-09-2021

A good question was asked today and I felt it was very important one .

We bought Cisco switches, Cisco smart licensing, Cisco ISE product and Cisco ISE VM licensing and Cisco VoIP phones .

Why should we pay for the Cisco ISE Plus license to get Cisco VoIP phone to be profiled ? Does Cisco have an answer ?

its like buying an Apple iphone and then I pay Apple Music app beside paying for Apple Music Subscription .