topic bound guest user with mac address in cisco ise in Network Access Control

bound guest user with mac address in cisco ise

Elbeshti1 — Sat, 09 Apr 2022 02:54:56 GMT

i have question about how to bound guest users with their mac address as we have already more than 1000 guest user that already provisioned in "Workstation" identity group, also i create a new identity group named "Guest 2022".

also we use ASA SSL VPN (Web VPN) instead of ISE Guest User Portal and it's difficult to force guest user to register their device again.

Any HELP ?

Re: bound guest user with mac address in cisco ise

Arne Bier — Mon, 11 Apr 2022 04:22:44 GMT

Hi @Elbeshti1

Not sure I follow your exact requirement, but are you saying that you want to perform MAB for a bunch of endpoints whose MAC addresses exist in a named Endpoint Identity Group. If so, then of course this is just a simple Authentication check against the Internal Endpoints, and then a successful Authorization if the Endpoint is in that Endpoint Identity Group.

You need to be more specific about your ISE Policy Set config. And, is this wired or wireless, etc.? Has the NAD been configured for MAB already?

Re: bound guest user with mac address in cisco ise

thomas — Fri, 15 Apr 2022 18:47:28 GMT

I agree with @Arne Bier , it is not clear what you are trying to do.

I do not understand what a VPN has to do with guest access - these are completely different scenarios.

MAC authentication is not the recommended way to do Guest authentication.

Putting MAC addresses into endpoint identity groups is more appropriate for managed assets or IOT devices.

Please be specific about the exact scenario you want to enable and if something is not working as expected, please share the necessary configurations from the components involved (endpoint, network device, ISE, etc.) as explained in

Re: bound guest user with mac address in cisco ise

Elbeshti1 — Fri, 15 Apr 2022 23:27:38 GMT

we use SSL AnyConnect With ISE Authentication as showed in the link below:

https://www.youtube.com/watch?v=499W8sHYn-I

instead of using an internal user in policy set rule we use guest user

my question is how bind the mac address of each guest user with his username ??

Re: bound guest user with mac address in cisco ise

thomas — Fri, 15 Apr 2022 23:48:03 GMT

I do not understand why "guest users" are using VPN.

> how bind the mac address of each guest user with his username??

If you want to bind a username to a MAC address, you would need to do that with an external identity store and compare the RADIUS Calling-Station-ID (user's MAC address) to an attribute of the user in the identity store.

Alternatively, you could do it with ISE internal users and store the bound MAC address in the Internal User Custom Attributes ("GuestMAC" for example).

And the policy looks like this:

Re: bound guest user with mac address in cisco ise

Arne Bier — Sat, 16 Apr 2022 08:40:06 GMT

When the user connects via SSL VPN, take a look at the Calling Station ID attribute that comes to ISE with the access request. That is the closest you’ll get to a MAC address.

Re: bound guest user with mac address in cisco ise

hslai — Wed, 20 Apr 2022 00:31:37 GMT

For RA-VPN, the calling-station-ID is the public IP of the endpoint but NOT the mac address. If macOS or Windows endpoints using AnyConnect to connect to ASA or FTD head-ends, the VPN client module gathers the mac addresses and send them over to ISE via the head-ends so ISE may authorize the endpoints based on the endpoint attributes. Thus, I would suggest creating a custom attribute for the user owner, unless an exiting attribute has the info.