topic Re: Endpoint registration via GUI/portal or whatever in Network Access Control

Endpoint registration via GUI/portal or whatever

Olivier Jessel — Fri, 19 Jul 2019 08:25:00 GMT

Dear all,

I recently deployed ISE 2.6 in a dispersed mode, and until now everything runs smoothly.

I have a requirement from business about giving access to the LAN to some "unmanaged and exotic" devices like scanners/3d printers, and so on...

Most of these just don't support dot1x or CWA, and they are also on the network only for a few days/weeks, during staging phase.

I am looking for a friendly way for the enduser to register these devices with their MAC addresses on the ISE, into the correct endpoints' group. Else, the security team can be surrounded from requests every day...

Any idea how to achieve that ? or maybe a different approach?

Thanks for your help 😉

Re: Endpoint registration via GUI/portal or whatever

Surendra — Fri, 19 Jul 2019 09:10:59 GMT

You can use My Devices Portal on the ISE (Administration > Device Portal Management > My Devices). Create one portal for every group in portal settings and give a user friendly FQDN like printers, scanners etc. and share these FQDNs with the users. Users will login to the respective portals and register their devices accordingly which in the backend will be placed in the group you configure in the portal settings. You can configure policies to dictate the level of access to that endpoint group afterwards

Re: Endpoint registration via GUI/portal or whatever

Olivier Jessel — Fri, 19 Jul 2019 09:35:30 GMT

Thanks Surendra,

Last question: can I also restrict the access to these portals to only some users or group of users (like based on AD group or local ISE users) ?

Re: Endpoint registration via GUI/portal or whatever

Surendra — Fri, 19 Jul 2019 10:45:59 GMT

AFAIK, there isn’t such option yet.

Re: Endpoint registration via GUI/portal or whatever

Olivier Jessel — Fri, 19 Jul 2019 11:08:23 GMT

Ok, I'll find another way to restrict the access to it 😉

Thanks a lot for your help !

Re: Endpoint registration via GUI/portal or whatever

Jason Kunst — Fri, 19 Jul 2019 15:36:46 GMT

You can use the API to write your own portal.

@Surendra what about using the PAN and giving access to certain groups? Its not nice like the my devices but they could also have RBAC to groups.

Another option using my devices (hasn't been validated for a while)

https://community.cisco.com/t5/security-documents/ise-1-3-2-1-sponsor-authorization-on-secondary-attributes/ta-p/3641379

Re: Endpoint registration via GUI/portal or whatever

Surendra — Fri, 19 Jul 2019 16:39:48 GMT

Yes. That is also an option provided the customer is ok with giving access to ISE on port 443 from the VLAN the users will be residing. Also, any user part of a specific user group can edit any device part of the specific endpoint group to which the access is given. For example :

Select the AD Group the user is a part of above.

Data access as follows :

Menu Access as follows :

Policy as follows :

The result will be as follows as when a user part of the AD group listed under Admin Group :