https://community.cisco.com/t5/network-access-control/ise-guest-access-controlled-by-mac-address/m-p/3361628#M549442 Yes you can do that on ise.<BR />You need to create at the top a rule saying your mac group containing all your internal hosts + your wlan id = deny.<BR />Instead of wlan id you can also use normalisedradius contains ssidname<BR /> Fri, 06 Apr 2018 04:02:47 GMT Francesco Molino 2018-04-06T04:02:47Z https://community.cisco.com/t5/network-access-control/ise-guest-access-controlled-by-mac-address/m-p/3358795#M549432 <P>Hi Expert,</P> <P>&nbsp;</P> <P>I have a problem, we have wifi guest and <SPAN>wifi&nbsp;</SPAN>internal network. but i found that many of our internal usage use the guest wifi rather than internal wifi since the internal wifi block some web page.</P> <P>&nbsp;</P> <P>On this moment, i have our internal user's device Mac address only. Can I control on guest wifi that if the mac address match the list (internal's device list), then this device cannot access the guest network? Can ISE do that?</P> <P>&nbsp;</P> <P>thanks</P> Fri, 21 Feb 2020 18:52:32 GMT https://community.cisco.com/t5/network-access-control/ise-guest-access-controlled-by-mac-address/m-p/3358795#M549432 osw200051 2020-02-21T18:52:32Z https://community.cisco.com/t5/network-access-control/ise-guest-access-controlled-by-mac-address/m-p/3358798#M549436 <P>Hi</P> <P>&nbsp;</P> <P>Do you have a group containing all your internal hosts mac&nbsp;addresses?</P> <P>&nbsp;</P> <P>If so, you can duplicate the guest rule internal hosts are hitting above it&nbsp;and add your internal mac addresses group as condition and switch the rule as denied instead of permit.</P> <P>&nbsp;</P> Mon, 02 Apr 2018 03:34:30 GMT https://community.cisco.com/t5/network-access-control/ise-guest-access-controlled-by-mac-address/m-p/3358798#M549436 Francesco Molino 2018-04-02T03:34:30Z https://community.cisco.com/t5/network-access-control/ise-guest-access-controlled-by-mac-address/m-p/3361012#M549438 Hi Francesco,<BR /><BR />Very happy for see your reply that can help me.<BR />Your suggestion can be done on ISE?<BR /><BR />Thanks Thu, 05 Apr 2018 08:58:07 GMT https://community.cisco.com/t5/network-access-control/ise-guest-access-controlled-by-mac-address/m-p/3361012#M549438 osw200051 2018-04-05T08:58:07Z https://community.cisco.com/t5/network-access-control/ise-guest-access-controlled-by-mac-address/m-p/3361628#M549442 Yes you can do that on ise.<BR />You need to create at the top a rule saying your mac group containing all your internal hosts + your wlan id = deny.<BR />Instead of wlan id you can also use normalisedradius contains ssidname<BR /> Fri, 06 Apr 2018 04:02:47 GMT https://community.cisco.com/t5/network-access-control/ise-guest-access-controlled-by-mac-address/m-p/3361628#M549442 Francesco Molino 2018-04-06T04:02:47Z https://community.cisco.com/t5/network-access-control/ise-guest-access-controlled-by-mac-address/m-p/3361834#M549443 <P>What version are you running?.</P> <P>&nbsp;</P> <P>I have seen endpoint group value being modified after successful or failed authentication so even though you have the internal MAC addresses in an specific endpoint group, that value could change to Unknown, Blank or Profiled so they would eventually be authenticated using again the Guest SSID because you would not hit the new Authz policy for internal users.</P> <P>&nbsp;</P> <P>I am assuming you have a guest network with only an AUP page or similar, no authentication. I would suggest you to evaluate modifying that to something like webauth so you can actually control who get access to that SSID.</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 06 Apr 2018 14:17:48 GMT https://community.cisco.com/t5/network-access-control/ise-guest-access-controlled-by-mac-address/m-p/3361834#M549443 ajc 2018-04-06T14:17:48Z