topic Re: ISE Posture - Client MAC address in Network Access Control

ISE Posture - Client MAC address

manvik — Wed, 22 Dec 2021 06:06:34 GMT

Can ISE only permit Remote VPN access from systems with permitted MAC address?

VPN used is anyconnect and it's authentication via ISE

Posturing like AV, OS etc are running successfully now

One more condition needs to add into posture, User MAC address (LAN or WiFi adapter MAC).

Re: ISE Posture - Client MAC address

Mike.Cifelli — Wed, 22 Dec 2021 12:53:29 GMT

Can ISE only permit Remote VPN access from systems with permitted MAC address?

-Pending that you have a list of the permitted MACs why not add a L2 mab identity group in the rad policy as another authz condition? Have you tested that idea yet?

Re: ISE Posture - Client MAC address

Arne Bier — Wed, 22 Dec 2021 20:49:26 GMT

In reply to Mike's comment, see if the Access-Request contains a Calling-Station-Id. I am unsure what MAC address will be contained there - wired or wireless - or in the worst case, a randomised MAC address.

Re: ISE Posture - Client MAC address

manvik — Thu, 23 Dec 2021 06:57:18 GMT

Thank you Guys. It worked, created MAC address list and called it in Auth policies.

Added MAC address list in - Work Centers > Network Access > Identities

Created a MAC Group in - System Identity Management > Groups and added all MAC to it

Referred the MAC group in - Policy set > Authorization policy

Condition used - IdentityGroup Name Equals "Identity Group Name"

** Be sure to set DenyAccess Profile for Default Authorization policy