topic Re: MAC address whitelist in Network Access Control

MAC address whitelist

Capricorn — Mon, 29 Oct 2018 08:58:04 GMT

Hi!

Cisco ISE version 2.4.

I have created a Endpoint identity group name whitelist and then added the few MAC address in it. The plan is to use this as whitelist of few devices we have. I created policy authorization policy for it.

Radius:Calling-Station-ID MAC_IN Whitelist.

This works but when I tried for another MAC with same way then it didnt work and after weekend the computer that was working is not getting the policy and its going to default deny policy.

It was kind of suprising but then I looks like I used a policy as below for MAC address and as that MAC address was authenticated with below policy then it worked for whitelist policy but once is cache is expired then its not working.

Radius: calling-Station-ID EQUALS 5c-5f-67-c8-58-7f

I looked into the documentation below and my understanding is that as the MAC was authenticated with above policy then it i worked for MAC_IN policy for some time and after expiration it didnt work.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010010.html

Now I enabled

Radius: calling-Station-ID EQUALS 5c-5f-67-c8-58-7f

and then disabled it and now below is working.

Radius:Calling-Station-ID MAC_IN Whitelist.

I only want that if MAC exist in Whitelist should be authorize.

Thanks for your suggestion and help in this.

Re: MAC address whitelist

ma.alsaffar — Mon, 29 Oct 2018 09:38:31 GMT

Hi,

why dont you create a profiling group and add the mac address, this will allow you to add multiple mac addresses whenever its needed

Re: MAC address whitelist

Capricorn — Mon, 29 Oct 2018 09:41:22 GMT

Hi!

The issue with that is let say if I profile for Huwai phones then anyone from outside with that model or vendor can join it as I have open SSID.

Right now I have 10 devices so I can use MAC address as restriction. I know its not sure but thats the best thing I have in mind and quick solution as well.

Thanks

Re: MAC address whitelist

Capricorn — Mon, 29 Oct 2018 10:10:31 GMT

Right now I just need a Authz rule for

If mac-address in Identity group ABC then allow vlan 20

Re: MAC address whitelist

Aravind Ravichandran — Mon, 29 Oct 2018 10:38:27 GMT

Hi,

You can create a authz rule like IdentityGroup Name EQUALS Endpoint Identity Groups:ABC then vlan 20.

Then you can add the required mac address in ABC identity group Administration> Identity management > Groups > Endpoint Identity group > ABC

-Aravind

Re: MAC address whitelist

Capricorn — Mon, 29 Oct 2018 10:41:21 GMT

I tried this kind of option. The problem with this is that if this condition will become true and it will in any case then it will allow the access automatically.

IdentityGroup Name EQUALS Endpoint Identity Groups:ABC

As I see the logic is that if there is matching ABC endpoint group exist then Authorize VLAN. It will not check the MAC address in side.

Re: MAC address whitelist

hslai — Mon, 29 Oct 2018 12:15:28 GMT

As I see the logic is that if there is matching ABC endpoint group exist then Authorize VLAN. It will not check the MAC address in side.

It does not work that way. The endpoint needs assigned to the endpoint group for the condition to hold true.

Re: MAC address whitelist

hslai — Mon, 29 Oct 2018 12:32:42 GMT

... and as that MAC address was authenticated with below policy then it worked for whitelist policy but once is cache is expired then its not working. ...

You might run into either CSCvi73782 or CSCvk55076.

Re: MAC address whitelist

Capricorn — Mon, 29 Oct 2018 13:43:31 GMT

ok. I did test but not sure I did see Auth succesful and then thought it shouldnt be that way. Auth will be a success as the MAC exist as internal endpoint. I am pretty sure you guys have tested it :).

Just need to double check this for AuthZ.