topic Re: Prevent Endpoint Group Changes in Network Access Control

Prevent Endpoint Group Changes

JASON BOYERS — Tue, 30 Aug 2016 13:57:36 GMT

Is there any way of preventing users from changing an endpoint that has already been manually entered into one endpoint group to another group? And, is there a way of preventing users from putting in a MAC address in My Devices that has already been put into another group (whether a BYOD endpoint group or in another manually entered group.) One of my customers has experienced these scenarios in two ways:

1) Put a number of devices into an endpoint group as internal devices. User logs into the device and goes through the BYOD process and now the endpoint is moved to the BYOD endpoint group. I know that we can change the authorization policy order, including putting in a deny policy for the endpoint group if others log into it. However, I don't think that the BYOD process should change the endpoint group.

2) A user put the MAC address for an internal endpoint into their My Devices portal, now associating that MAC with their account. So, now that device can't access internal resources. This could be entered by mistake or purposefully.

Re: Prevent Endpoint Group Changes

Charlie Moreton — Tue, 30 Aug 2016 14:38:17 GMT

Onesies or twosies can be addressed by going to Context Visibility > Endpoints and opening the endpoint details. Click the Edit Endpoint icon...

...and then choose Static Group Assignment and Save.

For bulk entries, you can use the Import CSV function. Again, start at Context Visibility > Endpoints and select Import > Import From File.

You can download a template for this file from the pop up dialog:

You're looking for column AT in the template file. Set that to TRUE for all endpoints that you want to keep in a specific Endpoint Identity Group. The Endpoint Identity Group is assigned in Column C.

Once this template is filled and complete, upload it and the Endpoint Identity Groups will remain static for the endpoints assigned.

These instruction are for ISE v2.1. In 2.0 and below, go to Administration > Identity Management > Identities.

Re: Prevent Endpoint Group Changes

JASON BOYERS — Tue, 30 Aug 2016 14:47:41 GMT

In all cases, when I look at the individual endpoints, whether internal endpoints uploaded via CSV or put in via the BYOD registration process, they all show as Static Group Assignment. We need something that says that if it has a static group assignment, don't allow it to be changed (except by an administrator or such.)

Re: Prevent Endpoint Group Changes

hslai — Mon, 05 Sep 2016 02:42:03 GMT

CSCuy83379 MyDevices portal overrides statically Blacklisted endpoint

is addressed in ISE 2.1, ISE 2.0.1 Patch 1, and ISE 1.4 Patch 8 and planned for next ISE 2.0 Patch release.

With its fix, we may statically assign endpoints to Blacklist or a child group under Blacklist to avoid it being overridden by MyDevices.

Re: Prevent Endpoint Group Changes

JASON BOYERS — Mon, 05 Sep 2016 13:40:16 GMT

Thanks. I'll let our customer know. Looks like that bug needs to be updated to reference those fixes, as well as that the issue isn't just for Blacklisted devices but for any statically defined group.