topic Re: MAC address whitelisting/Scripts for automation. in Network Access Control

MAC address whitelisting/Scripts for automation.

network_geek1979 — Wed, 24 Aug 2022 17:54:13 GMT

Team,
Has anyone tried adding MAC address for whitelisting using any script or API?

What I really want to do is add a policy which should allow MAC addresses to get authorized to the Network, but we cannot add these MAC address manually. We are looking at some API or some command to do this. Is this even possible on the ISE?

Regards,

N!!

Re: MAC address whitelisting/Scripts for automation.

balaji.bandi — Wed, 24 Aug 2022 18:35:38 GMT

MAC address whitelisting/Scripts for automation.

possible many difference ways ?

On what device you are trying ? what IOS code it running.

if you have ISE you can Manage MAC address list.

again we need to know more details here.

Re: MAC address whitelisting/Scripts for automation.

Rob Ingram — Wed, 24 Aug 2022 18:42:29 GMT

@network_geek1979 yes ISE supports API. You can create the MAC address endpoint and add this to an Identity Group, you can then use this Identity Group in an Authorisation rule to whitelist the group of MAC addresses.

Here is the API guide, in particular how to create endpoints - https://developer.cisco.com/docs/identity-services-engine/latest/#!endpoint

You can expand on this to import MAC addresses in bulk

Re: MAC address whitelisting/Scripts for automation.

davidgfriedman — Wed, 24 Aug 2022 18:46:27 GMT

Rob's right. It is easy enough. I did a Postman "Runner" where you input the MAC address and it sets things up for you. Mine was just a proof-of-concept for using ERS to quarantine an endpoint for our SOC (now there is pxGrid for that too). There are lots of ways to use ERS (for fun!). If you plan to static map the Identity Group, be careful if you are using Custom Attributes, as i think I recall one bug scrub for some ISE v2.X version where static mapping groups erased custom attributes (maybe?). Always check your version's known bugs for your patch level. It may well be you're on a newer version where that vague recollection of an issue was solved, or I may have some of that point of concern wrong in my head after all this time.

Regards,
David

Re: MAC address whitelisting/Scripts for automation.

network_geek1979 — Thu, 25 Aug 2022 07:09:07 GMT

Hi BB, I believe you are asking about Cisco switches. Is yes, we run different versions in the network.

Actually, my use case is running a script on the end user machine itself which will reach out to ISE and add a static MAC as a whitelist on the ISE. Eventually, I also want to delete this static MAC address entry though.

Regards!!

Re: MAC address whitelisting/Scripts for automation.

network_geek1979 — Thu, 25 Aug 2022 08:53:01 GMT

Hi Rob, Yes, this is something I will have to try. 🙂
I'll work on some script to add this endpoint to a manually created Identity Group. Let me see how it works.

This helps me.

Re: MAC address whitelisting/Scripts for automation.

network_geek1979 — Thu, 25 Aug 2022 08:54:20 GMT

Thanks David.

Re: MAC address whitelisting/Scripts for automation.

Arne Bier — Thu, 25 Aug 2022 23:45:07 GMT

Another cool approach for small networks is to use the Vanilla ISE python application, which you can run on any box that has Python 3 interpreter, and access to the Admin node and switches. It has a nice graphical display of your switch (or switch stack) and you can just right click on a port to make it NAC Exempt. Easy as that. No MAC address involved. This approach is nice if you know which port you want to make exempt for that user.

GitHub - obrigg/Vanilla-ISE: Vanilla ISE is a lightweight, simplified UI for operating Cisco's Identity Services Engine (Cisco ISE)