topic ISE and MAB in Network Access Control

ISE and MAB

angel-moon — Thu, 21 Nov 2019 20:35:35 GMT

Hello,

If I want to use MAB on a bunch of devices from the same manufacturer that can;t do 802.1x can I create just a single MAB policy and have all the devices hit that policy or whi I have to enter every actual MAC address for each device?

Thanks in advance!

Replies rated

Re: ISE and MAB

jj27 — Thu, 21 Nov 2019 20:56:57 GMT

As long as the manufacturer has the same OUI (first 6 characters of the MAC address) then you can accomplish it with one policy. Your condition would be Radius:Calling-Station-ID starts with <first 6 characters, example: 00-12-34 or 00:12:34 depending on how your accounting is configured.

You can also accomplish it by creating a profiling policy with the same condition or a condition to match the OUI by name (as seen in Context Visibility) then using the condition in your authorization policy Endpoint:EndpointPolicy = <ProfileName>

Lastly, you could populate an Endpoint Group with all of the MAC addresses manually (or bulk import) if desired.

Re: ISE and MAB

Mike.Cifelli — Thu, 21 Nov 2019 21:17:20 GMT

I agree with @jj27

However, please note that if pushing authz policy via profiled endpoint groups you will require plus licensing. If licensing is a concern I would recommend leveraging a bulk add via rest api. Check this out: https://community.cisco.com/t5/security-documents/ise-ers-api-examples/ta-p/3622623