ZBISE12 – Cisco ISE XBOX One with MAB Auth on Wired

Here is ZBISE12 and with it is our Wired XBOX One Use Case!  If you recall we are going to authenticate our XBOX One with MAB and then we are going to assign a dACL to the session.  Shall we jump right into it now???


Network and Server Diagram:

Here is our reference diagram that we will be using throughout this blog series.


Related Posts:

If you haven’t seen these posts yet, you should check them out


Wired Use Cases

Here is our Wired Use Cases table for reference as we go through today’s installment of creating our XBOX One with MAB Auth Use Case!


The Steps!!

1. Create our ISE Policies for our XBOX One with MAB Use Case
2. Configure our Switchport for ISE…ISE THAT PORT…ISE THAT PORT!!
3. Validation and Testing of our XBOX One Use Case

Note: For this installment, we are not showing some of the filler screenshots.  At this point in our series I believe they are not 100% needed.  Please leave a comment if my assumption is incorrect here.

1. Create our ISE Policies for our XBOX One with MAB Use Case

You will first need to log into your ISE Cluster and traverse to your Wired Authorization policy.  Within this policy, you will want to create a new use case / row / whatever you want to call it.  For the condition of your XBOX One policy, we want to check for Wired_MAB and the specific XBOXONE Policy.  This is shown in the below screenshot.

Once you have the condition the way you want it for your new XBOX One Authorization Policy, we need to make sure we select the proper permissions for the rule.  We already pre-built our Authorization Profile for our XBOX Access, and it is called WIRED-XBOX.  As you can see below, we have it selected in our policy.

Thats its on the ISE side.  If you run into any issues with your XBOX not being properly Profile, you can always add your XBOX into the End Point Policy manually.


2. Configure our Switchport for ISE…ISE THAT PORT…ISE THAT PORT!!

Now lets take a look at our XBOX One’s switchport on our Lab 3750 Switch.  For this Use Case our XBOX One is on Port Gi1/0/6.

Taking a look at our port, we can see that it has not been ISED yet!  Well lets go ahead and ISE that Port!!

Note: For some reason, when I say ISE that port, I feel like we should start chanting: ISE that Port…ISE that Port…ISE that Port! 🙂

Lets pull the ISE Port Configuration from ZBISE06.

Below is what we are going to use for our ISE Port Configuration.

switchport access vlan 100
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan 100
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

Below, like usual, is a screenshot of our switchport after the ISE Port configuration has been applied.

Now we move into Step # 3!!


3. Validation and Testing of our XBOX One Use Case

On our Lab switch, lets pull out our favorite CLI command, show auth sessions, to see what is taking place with our port.

As we expected to see, our XBOX One is getting a successful AuthC and AuthZ.

If we take a quick look at the dACL just to verify its correct, it should be but we never know. 😉

And look at that, the dACL is correct.

Lets jump over to the ISE Radius Live log side, to view what ISE shows for the authentication session.

Now we just need to verify the dACL is properly working as expected. We shouldn’t be able to ping the XBOX One from an internal IP address (RFC 1918) but we should be able to ping it from a public address.  (I know in this lab I am using the 1.1.1.1 address that is now actually a real world address, I will eventually change it, I promise! :))

Below is the screenshot of our testing, and it looks like everything is working as expected!!  We are good to go!

And that is it for our XBOX One with MAB Auth use case.  Pretty straight forward once you get used to it.  As always, if you have any issues or questions, leave a comment and I will be there to assist!!


Related Resources:

Cisco ISE Community


Ask questions and give feedback


Engage with Zigbits further:


Engage with me further:


Transparency:

This post may contain affiliate links to products or services were I may receive a level of compensation from your actions by following those links. This is seamless to you and does not add any additional cost to the products or services in question. In addition, I do not let any affiliate relationship cloud my judgement or my recommendation of a product or service. My recommendations will always be above reproach.  This is my commitment to you Ziglets!