https://community.cisco.com/t5/network-access-control/mac-filtering-on-ise/m-p/3203374#M554446 <P>Hi,</P> <P>&nbsp;</P> <P>I created internal endpoint groups which&nbsp;I manually add the MAC address of user's device. The AuthZ policy&nbsp;I&nbsp;created is EndpointGroupA and SSID-GroupA = permit access.&nbsp;</P> <P>&nbsp;</P> <P>I also have CWA portal, users who register to that portal will tag their endpoint as RegisteredDevice.</P> <P>&nbsp;</P> <P>My&nbsp;challenge is when user with MAC addess A (example only) that&nbsp; is manually added to EndpointGroupA registers to CWA portal its MAC address A is now tag as&nbsp;RegisteredDevice.</P> <P>&nbsp;</P> <P>So whenever this MAC address A access the SSID-GroupA&nbsp;which requires MAC-filtered device - it cannot connect to that SSID.</P> <P>&nbsp;</P> <P>Hope you can help me on this. I'm thinking if there is other attribute for MAC filtering that I can use on the policy. Or any additional policy that I can configure.</P> <P>&nbsp;</P> <P>Thanks in advance!</P> Fri, 21 Feb 2020 18:36:41 GMT Mady 2020-02-21T18:36:41Z https://community.cisco.com/t5/network-access-control/mac-filtering-on-ise/m-p/3203374#M554446 <P>Hi,</P> <P>&nbsp;</P> <P>I created internal endpoint groups which&nbsp;I manually add the MAC address of user's device. The AuthZ policy&nbsp;I&nbsp;created is EndpointGroupA and SSID-GroupA = permit access.&nbsp;</P> <P>&nbsp;</P> <P>I also have CWA portal, users who register to that portal will tag their endpoint as RegisteredDevice.</P> <P>&nbsp;</P> <P>My&nbsp;challenge is when user with MAC addess A (example only) that&nbsp; is manually added to EndpointGroupA registers to CWA portal its MAC address A is now tag as&nbsp;RegisteredDevice.</P> <P>&nbsp;</P> <P>So whenever this MAC address A access the SSID-GroupA&nbsp;which requires MAC-filtered device - it cannot connect to that SSID.</P> <P>&nbsp;</P> <P>Hope you can help me on this. I'm thinking if there is other attribute for MAC filtering that I can use on the policy. Or any additional policy that I can configure.</P> <P>&nbsp;</P> <P>Thanks in advance!</P> Fri, 21 Feb 2020 18:36:41 GMT https://community.cisco.com/t5/network-access-control/mac-filtering-on-ise/m-p/3203374#M554446 Mady 2020-02-21T18:36:41Z https://community.cisco.com/t5/network-access-control/mac-filtering-on-ise/m-p/3206606#M554448 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Untitled.jpg" style="width: 882px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/2639iA903B674AF3CD20C/image-size/large?v=v2&amp;px=999" role="button" title="Untitled.jpg" alt="Untitled.jpg" /></span></P> <P>Try the attached authorization policies for CWA after the following ones:</P> <P>&nbsp;</P> <P>1-if EndpointGroupA and SSID-GroupA then permit access (manual endpoint entries would get access)</P> <P>2-if Network Access:UseCase EQUALS Guest Flow then permit access</P> <P>***********THE ATTACHED POLICIES WOULD GO HERE*********</P> <P>(the NOT EQUALS can be replaced by NOT CONTAINS</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 27 Oct 2017 18:03:18 GMT https://community.cisco.com/t5/network-access-control/mac-filtering-on-ise/m-p/3206606#M554448 ajc 2017-10-27T18:03:18Z https://community.cisco.com/t5/network-access-control/mac-filtering-on-ise/m-p/3206609#M554449 <P>BTW, MAB authentication is not safe (spoofing can happen)&nbsp;unless you are ONLY allowing internet access to anyone connected to your SSIDGroupA.</P> Fri, 27 Oct 2017 18:06:31 GMT https://community.cisco.com/t5/network-access-control/mac-filtering-on-ise/m-p/3206609#M554449 ajc 2017-10-27T18:06:31Z https://community.cisco.com/t5/network-access-control/mac-filtering-on-ise/m-p/3206615#M554450 <P>thanks for your reply. I will try your suggestion. I would like to ask if is it possible to assign endpoint to two different endpoint groups for example? Because I used hotspot, self-registered and BYOD and each has different endpoint group.</P> <P>&nbsp;</P> <P>there's a chance that the mac filtered endpoint connects to all of that portal and it will be tag to different group.</P> Fri, 27 Oct 2017 18:10:17 GMT https://community.cisco.com/t5/network-access-control/mac-filtering-on-ise/m-p/3206615#M554450 Mady 2017-10-27T18:10:17Z https://community.cisco.com/t5/network-access-control/mac-filtering-on-ise/m-p/3206617#M554451 <P>Yes, it has access to internet only. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 27 Oct 2017 18:12:29 GMT https://community.cisco.com/t5/network-access-control/mac-filtering-on-ise/m-p/3206617#M554451 Mady 2017-10-27T18:12:29Z https://community.cisco.com/t5/network-access-control/mac-filtering-on-ise/m-p/3206624#M554452 <P>&nbsp;</P> <P>no, you cannot assign an endpoint to different endpoint groups. You would have to play with the authz policies AND the Endpoint Group from the portal (see below).</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pic 1.jpg" style="width: 541px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/2641iDD71E73E94850773/image-size/large?v=v2&amp;px=999" role="button" title="pic 1.jpg" alt="pic 1.jpg" /></span></P> Fri, 27 Oct 2017 18:18:44 GMT https://community.cisco.com/t5/network-access-control/mac-filtering-on-ise/m-p/3206624#M554452 ajc 2017-10-27T18:18:44Z https://community.cisco.com/t5/network-access-control/mac-filtering-on-ise/m-p/3206625#M554453 <P><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> thanks! it seems that I really need to work on my AuthZ policy. I will definitely try your recommendation.</P> Fri, 27 Oct 2017 18:24:29 GMT https://community.cisco.com/t5/network-access-control/mac-filtering-on-ise/m-p/3206625#M554453 Mady 2017-10-27T18:24:29Z https://community.cisco.com/t5/network-access-control/mac-filtering-on-ise/m-p/3206626#M554458 <P>do not forget to rate, thanks</P> Fri, 27 Oct 2017 18:27:55 GMT https://community.cisco.com/t5/network-access-control/mac-filtering-on-ise/m-p/3206626#M554458 ajc 2017-10-27T18:27:55Z