topic Re: Cisco ISE wired NAC bypass using MAC in Network Access Control

Cisco ISE wired NAC bypass using MAC

ali007 — Wed, 12 Apr 2023 14:39:44 GMT

Hi,

the business doesn't want us to use the portal included in ISE for NAC bypass using MAC so wondering is there any other way of doing this i.e. using a script, or Service now integration etc.? or integration with sponsor portal?

Regards

Re: Cisco ISE wired NAC bypass using MAC

ahollifield — Wed, 12 Apr 2023 15:11:08 GMT

To do what exactly? Bypass authentication? Is this wired or wireless? Guest? Something else? Do you mean you don't want to do MAB? Or rely on some other attribute for non-802.1X devices?

https://community.cisco.com/t5/security-knowledge-base/how-to-ask-the-community-for-help/ta-p/3704356

Re: Cisco ISE wired NAC bypass using MAC

ali007 — Wed, 12 Apr 2023 15:20:03 GMT

so users whose machine fail to authenticate using NAC (802.1x EAP-TLS), this bypass will provide them temporary access using MAC address.

Re: Cisco ISE wired NAC bypass using MAC

ahollifield — Wed, 12 Apr 2023 15:26:09 GMT

So how would the MAC address get added to ISE? Is that what you are asking?

Re: Cisco ISE wired NAC bypass using MAC

ali007 — Thu, 13 Apr 2023 08:19:49 GMT

Exactly... I know how its done through ISE GUI but is it possible to either script it using API or integrate serviceNow or ISE sponsor portal etc.?

if so, do you have document that explains this part?

thanks

Re: Cisco ISE wired NAC bypass using MAC

ahollifield — Thu, 13 Apr 2023 12:33:14 GMT

API is probably your best/most scalable way to do this: https://developer.cisco.com/identity-services-engine/

If you are going to do this with the Sponsor Portal then you might as well just use the regular GUI.

Re: Cisco ISE wired NAC bypass using MAC

ali007 — Mon, 17 Apr 2023 09:35:15 GMT

Hi,

thanks for your help so far. cant seem to find anyone with good scripting skill to utilise API. so came across BYOD portal.. and it ticks all the boxes however I can't seem to find a way to control access to the BYOD portal. Any ideas? can we somehow restrict this portal access to an AD group or perhaps a local ISE user group?

Regards

Re: Cisco ISE wired NAC bypass using MAC

ahollifield — Mon, 17 Apr 2023 12:38:59 GMT

How is BYOD portal any different than just going to Context Visibility and manually placing the endpoint in the "bypass" group? Do you mean the My Devices portal?

Re: Cisco ISE wired NAC bypass using MAC

ali007 — Mon, 17 Apr 2023 12:41:27 GMT

Hi, yes I meant the device portal. apologies.

Re: Cisco ISE wired NAC bypass using MAC

ahollifield — Mon, 17 Apr 2023 13:14:20 GMT

Again though, how is this different than just going to Context Visibility and placing the endpoint in the bypass group? Is the idea that this portal will be used by non-technical users? You can enable AD login to the My Devices portal but you have better RBAC through the regular admin GUI.

Re: Cisco ISE wired NAC bypass using MAC

ali007 — Mon, 17 Apr 2023 13:26:48 GMT

yh with devices portal you can capture more information plus the view is better. can you please share the steps on how to enable AD login to Devices porta? been looking from a while now but struggling.

Regards

Re: Cisco ISE wired NAC bypass using MAC

ahollifield — Mon, 17 Apr 2023 15:02:20 GMT

Put your Active Directory Join Point here:

Administration -> Device Portal Management -> My Devices -> [select your portal] -> Portal Settings

Re: Cisco ISE wired NAC bypass using MAC

ali007 — Tue, 18 Apr 2023 09:53:17 GMT

Hi Mate, thanks once again. wondering what would my policy look like, I have figured this part out. Just don;t know where to start with the policy. as AD Join Point, will allow the entire domain or the groups defined in that domain join point but I want to restrict access to a particular group.

appreciate all your help.

Re: Cisco ISE wired NAC bypass using MAC

ahollifield — Tue, 18 Apr 2023 11:46:29 GMT

So if I am understanding your use-case correctly, you would have two Policy Sets. One for 802.1X and one for MAB. In your 802.1X policy you would use conditions to place different enforcement profiles based on AD Group (dACLS, VLANs, etc.). In your MAB policy you would have a condition for your My Devices Whitelist like "Endpoint ID group = [whatever your Endpoint ID group specified in the My Devices Portal]". Then a simple PermitAccess or whatever enforcement you like for this bypass list.

I would also suggest checking out the ISE YouTube content here: https://www.youtube.com/@CiscoISENetworkSecurity