I am currently setting up a VOIP network for my customer, which includes 802.1x and MAB authentication.
The normal auth sequence goes like this:
The switch detects a new machine with no 802.1x protocol setup, sends a MAB request to the ISE node.
The ISE node looks up the MAC address in an LDAP server, and depending on whether it is in the "Computer" or the "phone" group, sets it in the correct VLAN for staging.
The device is configured automatically and given it's certificate
The device reboots, and with the correct certificate, it's 802.1x request is again sent to the ISE server, which this times checks the certificate against the LDAP and authorize the connexion into the production VLAN.
My question is the following:
My customer decided that all the "computer" devices will be managed by another unit, and another (NPS) Radius server.
I want to redirect all MAB requests to that server if the Mac address is in the "computers" group, and only process them myself if the client is not found there (for a few specific cases).
This causes two issues:
In the policy set page, there seems to be no way to decide radius sequences based on LDAP groups, only on the basic attributes of the radius request.
In the Radius sequence definition, there seems to be no possible action in case of a "Access-reject" response, only in "Access-Accept".
Is there something I missed? or is there another way to achieve my goals?
