topic Re: Only allowing authorized machines on ISE in Network Access Control

Only allowing authorized machines on ISE

Julio Coral Orbes — Mon, 11 Mar 2019 03:26:16 GMT

Hi,

We are implementing an ISE solution, and one of the customer requirements is create an internal endpoint identity group, and ONLY allow the mac address listed on that group to authenticate via 802.1x.

I see that in the authorization policy section, in the identity groups conditions, i only can create a rule that applies an OR operator, for example, "dot1xusers OR authorizedmachines", but i can't create the AND condition to enforce the customer requirement.

There is a way to accomplish this? or how can i implement this customer requierement?

Many thanks,

Julio

Only allowing authorized machines on ISE

Richard Atkin — Wed, 29 May 2013 05:25:12 GMT

In your ISE;

Create an Endpoint Identity Group and put your device MAC Addresses in

In your Authentication Profiles, enable 802.1x

In your Authorisation Profiles, create a rule whereby "Device Group = YourAuthzPCs AND AD Group Membership = Domain Computer"

That should see you good, although I'd question the motives for your requirement. MAC Address lists are both boring / difficult to administer, and easily spoofed. You would be better off using another AD Security Group in most circumstances I'd have thought.

Re: Only allowing authorized machines on ISE

Julio Coral Orbes — Wed, 29 May 2013 17:07:12 GMT

Thank you RikJonAtk,

you are rigth, that is how it worked. however, the customer don't have an active directory yet (its a new network), so we must use internal users. In my lab the auth profile used to accomplish the goal was like the shown in attached.

DispositivosPermitidos is an endpoint identity group where the allowed device mac address are listed. the trick was the string "User Identity Groups:Employee" instead of "Employee" in the auth profile.