https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572303#M509703 <HTML><HEAD></HEAD><BODY><P>thanks for your reply , after i checked logs , endpoint profile is&nbsp; "unknown" , and everytime PC/NB connect on this environment , the MAC will auto discovery and list on this profile : </P><P><IMG alt="endpoint profile.jpg" class="image-1 jive-image" src="/legacyfs/online/fusion/117224_endpoint profile.jpg" style="width: 620px; height: 349px;" /></P><P>may i adjust it to another profile ? like "workstation" or "profiled" , if yes , where is configuration i should modify ?</P><P><IMG alt="endpoint profiled and workstation.jpg" class="jive-image image-2" src="/legacyfs/online/fusion/117225_endpoint profiled and workstation.jpg" style="width: 620px; height: 349px;" /></P></BODY></HTML> Thu, 24 May 2018 06:38:27 GMT sbmc014 2018-05-24T06:38:27Z https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572296#M509685 <HTML><HEAD></HEAD><BODY><P>when i connect my laptop on switch in ISE environment , it will be auto discovery via ISE , and list in Home--&gt;summary--&gt;total endpoints :</P><P><IMG alt="home summary endpoints.jpg" class="image-1 jive-image" src="/legacyfs/online/fusion/117209_home summary endpoints.jpg" style="height: 349px; width: 620px;" /></P><P></P><P>and put this MAC entry in table :</P><P><IMG alt="put mac in list.jpg" class="jive-image image-2" src="/legacyfs/online/fusion/117210_put mac in list.jpg" style="height: 323px; width: 620px;" /></P><P>When i test 802.1x MACauth via ISE , it always pass due to this MAC existed , any possible i can disable auto discovery endpoints MAC function ? ISE version is 2.4.0</P></BODY></HTML> Wed, 23 May 2018 07:27:24 GMT https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572296#M509685 sbmc014 2018-05-23T07:27:24Z https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572297#M509687 <HTML><HEAD></HEAD><BODY><P>When you connect to the switch and start radius session ISE will learn the mac address. How you configured the switch</P><P>there maybe SNMP configuration too it can learn the mac address from there too.And i think it is necessary all of this for profiling in ISE . And it will not passes if your rules are configured correctly .</P></BODY></HTML> Wed, 23 May 2018 08:02:16 GMT https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572297#M509687 ognyan.totev 2018-05-23T08:02:16Z https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572298#M509688 <HTML><HEAD></HEAD><BODY><P>thanks for your reply , can you give me some advise for how to setting correct configration for MAC auth via</P></BODY></HTML> Wed, 23 May 2018 08:19:29 GMT https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572298#M509688 sbmc014 2018-05-23T08:19:29Z https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572299#M509690 <HTML><HEAD></HEAD><BODY><P>First explain what you want to do ? Show us switch configuration ,show how you create policy ,Authentication and authorization .</P></BODY></HTML> Wed, 23 May 2018 08:38:12 GMT https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572299#M509690 ognyan.totev 2018-05-23T08:38:12Z https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572300#M509693 <HTML><HEAD></HEAD><BODY><P>thanks for your reply , my laptop MAC will be auto discovery in unknown list :</P><P><IMG alt="mac in unknow list.jpg" class="image-1 jive-image" src="/legacyfs/online/fusion/117217_mac in unknow list.jpg" style="width: 620px; height: 349px;" /></P><P>and MAC-auth will pass if this MAC existed on this table , and i cannot remove it manually . </P><P></P><P><SPAN style="color: #3d3d3d; font-family: arial; font-size: 12px; font-style: normal; font-weight: 400; text-align: left; text-indent: 0px;">Authentication policy like this :</SPAN></P><P><SPAN style="color: #3d3d3d; font-family: arial; font-size: 12px; font-style: normal; font-weight: 400; text-align: left; text-indent: 0px;"><IMG alt="authentication policy.jpg" class="jive-image image-2" src="/legacyfs/online/fusion/117218_authentication policy.jpg" style="width: 620px; height: 332px;" /><BR /></SPAN></P><P><SPAN style="color: #3d3d3d; font-family: arial; font-size: 12px; font-style: normal; font-weight: 400; text-align: left; text-indent: 0px;">authorization policy like this :</SPAN></P><P><SPAN style="color: #3d3d3d; font-family: arial; font-size: 12px; font-style: normal; font-weight: 400; text-align: left; text-indent: 0px;"><IMG alt="policy set 20180523.jpg" class="jive-image image-3" src="/legacyfs/online/fusion/117219_policy set 20180523.jpg" style="width: 620px; height: 349px;" /></SPAN></P><P><SPAN style="color: #3d3d3d; font-family: arial; font-size: 12px; font-style: normal; font-weight: 400; text-align: left; text-indent: 0px;">in my opinion , it should some table that i can maintain (keyin MACs that want to authenticated ) , but i cannot find where is it ? Or other configurations i need to adjust ?<BR /></SPAN></P><P><SPAN style="color: #3d3d3d; font-family: arial; font-size: 12px; font-style: normal; font-weight: 400; text-align: left; text-indent: 0px;"><BR /></SPAN></P></BODY></HTML> Wed, 23 May 2018 10:35:56 GMT https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572300#M509693 sbmc014 2018-05-23T10:35:56Z https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572301#M509697 <HTML><HEAD></HEAD><BODY><P>Yes i am pretty sure it hits basic network access ,first of all disconnect your laptop from switch second delete endpoint mac address from context visibility ,than reconnect your laptop to switch and see what happen .I never use this rule and in mine deployment i disable it .I prefer mine rules nor default ones. </P></BODY></HTML> Wed, 23 May 2018 10:41:46 GMT https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572301#M509697 ognyan.totev 2018-05-23T10:41:46Z https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572302#M509701 <HTML><HEAD></HEAD><BODY><P>You cannot disable the discovery, but if goal is to only allow access to endpoints explicitly assigned to an access group, then you can go to Administration &gt; Identity Management &gt; Groups &gt; Endpoint Identity Groups to add, import (via file/LDAP) MAD addresses into the desired group for policy assignment.&nbsp; You can also use ERS API to update the endpointd and group memberships.</P><P></P><P>Note that an given MAC address can belong to only one Endpoint Identity Group at a time, so may be worth looking into Custom Attributes if wish endpoints to belong to multiple classifications for policy assignment.</P></BODY></HTML> Wed, 23 May 2018 11:18:25 GMT https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572302#M509701 Craig Hyps 2018-05-23T11:18:25Z https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572303#M509703 <HTML><HEAD></HEAD><BODY><P>thanks for your reply , after i checked logs , endpoint profile is&nbsp; "unknown" , and everytime PC/NB connect on this environment , the MAC will auto discovery and list on this profile : </P><P><IMG alt="endpoint profile.jpg" class="image-1 jive-image" src="/legacyfs/online/fusion/117224_endpoint profile.jpg" style="width: 620px; height: 349px;" /></P><P>may i adjust it to another profile ? like "workstation" or "profiled" , if yes , where is configuration i should modify ?</P><P><IMG alt="endpoint profiled and workstation.jpg" class="jive-image image-2" src="/legacyfs/online/fusion/117225_endpoint profiled and workstation.jpg" style="width: 620px; height: 349px;" /></P></BODY></HTML> Thu, 24 May 2018 06:38:27 GMT https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572303#M509703 sbmc014 2018-05-24T06:38:27Z https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572304#M509705 <HTML><HEAD></HEAD><BODY><P>No you cannot</P><P></P><P>Would recommend if you’re so concerned with this you disable default authorization rule for authenticated that comes on out of box</P><P></P><P>Recommendation is to authenticate all but then put an authorization for those you don’t want to allow that redirects them to a portal page with insurrections and gives them limited access</P><P></P><P>Then only authorize with more access those groups you have built manually perhaps?</P><P></P><P>If valid group then permit access full?</P></BODY></HTML> Thu, 24 May 2018 11:16:59 GMT https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572304#M509705 Jason Kunst 2018-05-24T11:16:59Z https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572305#M509707 <HTML><HEAD></HEAD><BODY><P>In the absence of an explicit ID group assignment, endpoints will have a default ID Group assigned based on its profile status.&nbsp; If end does not match a known profile, it is assigned a group of Unknown.&nbsp; If it matches a known profile, it is assigned a group of Profiled.&nbsp; If enable profile to "Create Matching Identity Group", it will then be assigned to an Identity Group based on Profile name.</P><P></P><P>In your case, if wish these endpoints to be granted or denied access, then assign them to a specific ID group and ignore profile.</P><P></P><P>Craig</P></BODY></HTML> Thu, 24 May 2018 12:43:36 GMT https://community.cisco.com/t5/network-access-control/can-i-disable-auto-discovery-endpoints-in-ise/m-p/3572305#M509707 Craig Hyps 2018-05-24T12:43:36Z