Configuring Cisco ISE MAB Policy Sets


After a successful installation of ISE and your first switch configuration you can finally create your first policy. We will create a policy which will only permit access from specific MAC addresses and will then dynamically assign the configured VLAN on the connected switch port.

General Information

ISE has a default policy which allows all connections. You can’t change the name of the default policy nor can you delete it, but you can change the policy settings. I suggest to you to use the default policy to deny all requests. So if no other policy matches the connection should be denied, equally to a standard firewall policy.

Edit Default Policy

Navigate to your default policy by selecting Policy -> Policy Sets. Use the arrow on the far right to view the policy. Open the Authentication Policy tab. This includes all allowed authentication methods for the selected policy set. We don’t have to change anything here for our default policy.

Close it and move on to Authorization Policy tab. Policies with a green checkmark are enabled and the one with a cross are disabled. You have two options here, you can either disable the policies or delete them. To get a better overview of all my policies I will delete all unnecessary ones.

Delete Policies

To delete a policy select the gear icon under actions and select delete:
Delete Policy

I will delete all policies except the default one (can’t be deleted anyway). Once you have deleted or disabled all policies hit save and confirm. Your policy set should now look similar to this one:
Default Policy Set

Check if the default policy is set to DenyAccess like in the screenshot above. Now all every new client connection should be denied.

Test Default Policy

Let’s do a quick test if everything works as expected so far. Connect a client to check if our new policy is working. Navigate to Operations -> Live Logs. You should see a new entry marked with a red cross and an access deny message. Live Logs Policy Deny

Create MAB Group

In order to use MAC Authentication Bypass (MAB) in our policy sets we first need a group to save those mac addresses.
Navigate to Administration -> Identity Management -> Groups and select Add.

Give the group a name and description (optional) and click Submit: Endpoint Group

Add Endpoint to Group

There are multiple ways to add endpoints to the new group. The path to choose depends on if the endpoint is known or unknown by ISE. Once an endpoint was connected through a switch port configured for ISE it is automatically know by ISE.

Known Endpoints

If you have already connected the endpoint to ISE (doesn’t matter if the authentication was successful or not) you can find it in the endpoints section. Navigate to Context Visibility -> Endpoints. Select the endpoint you want to add to the group. Use the pencil icon to edit the endpoint settings. Check Static Group Assignment and Select your identity group:
Edit Endpoint

Another option is to select your group Administration -> Identity Management -> Groups. Select Endpoint Identity Groups on the right and choose your group. In the next windows you can select Add and choose your endpoint from the dropdown menu. After selecting your endpoint the settings are automatically saved.

Unknown Endpoints

If your endpoint is not yet know by ISE you have to option to manually add it. To do so navigate to Context Visibility -> Endpoints and click on the + icon to add a new endpoint.

Enter its MAC address and select your identity group after checking the Static Group Assignment box. Confirm by clicking Save:
Add Endpoint

Create Dynamic VLAN Profile

In order to assign VLANs dynamically we need to create a new profile. This ensures that the VLAN configuration will only be added to the switch port once a client is connected and is removed if the client disconnects.

Navigate to Policy -> Results -> Authorization -> Authorization Profiles and select Add. Name the policy and set your VLAN ID by selecting Common Tasks -> VLAN. Enter your VLAN ID/Name. Confirm by clicking Submit:
Authorization Profile

Create new Policy Set

Add new Policy Set

Navigate to Policy -> Policy Sets again and select the + icon above your Default policy.
Give your policy a name and select Default Network Access on the Allowed Protocols / Server Sequence column:
New Policy Set

Click on the + icon on the Conditions column. In the Conditions Studio screen drag and drop the Wired_MAB condition into the Editor field and confirm with Use:
Conditions Studio

Save your new policy set with the Save button. Select your policy by clicking on the arrow on the right.

Edit Authentication Policy

This step is optional as the default authentication policy will allow access to our internal endpoints. For better visibility in Live Logs I will create a new one.
If you want to customize your policy start by selecting DenyAccess for your default policy:
Default Authentication Policy

Use the + icon above to create a new rule. Name it and select Internal Endpoints. Click on the + icon on the Conditions column. In the Conditions Studio screen drag and drop the Wired_MAB condition into the Editor field and confirm with Use Conditions Studio

If you want you can hit the Save button now, so that you don’t lose and progress by accident. Your policy should now look similar to this one: New Authentication Policy

Edit Authorization Policy

Now we can move on to the Authorization Policy tab. The default profile should already be set to DenyAccess.
As always use the + icon to add another policy. Give your rule a name and click on the + icon again on the Conditions column. Click on the Click to add an attribute field and navigate to Identity group in the new window. Select IdentityGroup Name:
Select Attribute

Select your identity group in Choose from list or type field. You can also search for your group name. Confirm with Use: Identity Group

In the Profiles column select the profile you created earlier. I called my example Permit_VLAN_10. Your authorization policy should now look similar to mine:
Authorization Policy

Now every client which MAC address is in the MAB_Test-Clients group gets access VLAN 10 added to the active port and the access is permitted.

Use the Save button to activate your policy.

Test Policy Set

Last but not least we need to test the policy. To do so navigate to Operations -> Live Logs and connect your client. You can also adjust the refresh interval, max entries and time period to your liking:
Live Logs Settings

Once you have connected your client it should match our authentication and authorization policy:
Live Logs Policy Allow

Switch Session

Use the following command to view sessions details for a specific switch port. In my case GigabitEthernet1/0/1:

show authentication sessions interface GigabitEthernet1/0/1 details

The output should look like the following:

            Interface:  GigabitEthernet1/0/1
          MAC Address:  d481.d7aa.aaaa
         IPv6 Address:  Unknown
         IPv4 Address:
            User-Name:  D4-81-D7-AA-AA-AA
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  single-host
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  300s (local), Remaining: 254s
       Session Uptime:  46s
    Common Session ID:  C0A863030000001731FF4616
      Acct Session ID:  0x0000000D
               Handle:  0x43000006
       Current Policy:  POLICY_Gi1/0/1

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
           Vlan Group:  Vlan: 10

Method status list:
      Method            State

      mab                Authc Success

This give us a lot of information about the current session. The most important one is the Status which is Authorized. We can tell that the Domain is DATA. Another option here would be VOICE for VoIP phones. You can also tell the endpoints Session Uptime which is only 46 seconds in my example. The selected Vlan Group is also shown which is Vlan 10. Another useful information is the authentication method which is mab in our case. 802.1x would be another method we could use but we only configured MAB so far.

Switch Port

If you look at the interface status after a successful authentication you can also see the assigned VLAN there. Use the following command to do so:

show interface status

The switch port Gi1/0/1 is now assigned to VLAN 10:

Port      Name               Status       Vlan       Duplex  Speed Type
Gi1/0/1                      connected    10         a-full a-1000 10/100/1000BaseTX

The VLAN configuration gets removed and set to default (VLAN configured on the switch port) once you disconnect the client:

Port      Name               Status       Vlan       Duplex  Speed Type
Gi1/0/1                      notconnect   999          auto   auto 10/100/1000BaseTX

Tips and Ticks

Reauthenticate or Terminate Endpoint Session

From time to time it can be useful to reauthenticate or terminate an endpoint’s session to ISE. For example significant change in policies or settings may require a reauthentication. To do so navigate to Context Visibility -> Endpoints. Select the endpoint you want to reauthenticate and navigate to Change Authorization -> CoA Session Reauth (CoA is short for Change of Authorization). You can also terminate a session completely by using CoA Session Terminate: Endpoint Reauthentication

By clicking on the endpoint you get an overview of all the information that ISE has collected or was assigned manually.

Live Logs and Live Sessions

I already mentioned Live Logs a couple of times in this guide but since they are pretty important I would like to refer to them again. Every connection through ISE is visible in Live Logs. They offer a big variety of authentication and authorization details, so it’s your first point of contact for debugging endpoint problems. Active sessions can be monitored in the Live Sessions tab.

Viewing Logs older than 24h

Live Logs only show up to 24 hours of logs. To access older log files navigate to Operations -> Reports -> Reports -> Endpoints and Users -> RADIUS Authentications. In the Reports section you can access logs up to 30 days old.


This was quite a journey, but you are finally done with your ISE setup for further labbing and testing. ISE offers a large variety of configuration options for all kinds of use cases. I hope that I was able to give you an introduction and some ideas on where to start.