https://community.cisco.com/t5/network-access-control/new-pc-imagining/m-p/5035353#M587938 <P>I know of a customer who gives their IT folks limited access to ISE to add Ethernet MAC addresses to an ISE PXEBoot Endpoint Identity Group. The access is so limited that all they see is the Context Visibility, and they only have write permission to the PXEBoot Endpoint Identity Group.&nbsp; That's as close to a portal as you'll get.</P> <P>An ISE AuthZ rule then applies a dACL to permit any any when it sees that MAC address. You can try to make the dACL more watertight but then you must study the traffic flows carefully (DHCP/BOOTP, DNS, TFTP, etc.)</P> <P>That Identity Group gets purged every 24 hours. Enough time to allow someone to re-image a PC. If you got really smart about it, you could integrate your ticketing system (e.g. Service Now) to poke the MAC address into ISE via REST API.</P> Wed, 06 Mar 2024 20:30:23 GMT Arne Bier 2024-03-06T20:30:23Z https://community.cisco.com/t5/network-access-control/new-pc-imagining/m-p/5035286#M587936 <P>Hello,</P><P>I have been tasked to secure the ports our helpdesk uses to imagine new machines.&nbsp; They used to use a secured room to do this but they have since changed to imagine laptops at their work stations.&nbsp; My first thought was to use an ACL to limit what the switchport had access to talk with.&nbsp; We use ISE with MAB and after looking into this some more, could I use ISE to create a splash screen where the help desk person would have to enter their login cred's after connecting the laptop?&nbsp; Or has someone found a better solution for this?</P><P>Thanks!!!</P> Wed, 06 Mar 2024 18:45:38 GMT https://community.cisco.com/t5/network-access-control/new-pc-imagining/m-p/5035286#M587936 Jerry10 2024-03-06T18:45:38Z https://community.cisco.com/t5/network-access-control/new-pc-imagining/m-p/5035287#M587937 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1695630">@Jerry10</a> yes, you could use Central Web Authentication (CWA) portal which uses AD for authentication.&nbsp;<A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html</A></P> <P>You could also push down a DACL to the authenticated users (post CWA) to allow the devices only enough access to image the devices.</P> Wed, 06 Mar 2024 18:49:55 GMT https://community.cisco.com/t5/network-access-control/new-pc-imagining/m-p/5035287#M587937 Rob Ingram 2024-03-06T18:49:55Z https://community.cisco.com/t5/network-access-control/new-pc-imagining/m-p/5035353#M587938 <P>I know of a customer who gives their IT folks limited access to ISE to add Ethernet MAC addresses to an ISE PXEBoot Endpoint Identity Group. The access is so limited that all they see is the Context Visibility, and they only have write permission to the PXEBoot Endpoint Identity Group.&nbsp; That's as close to a portal as you'll get.</P> <P>An ISE AuthZ rule then applies a dACL to permit any any when it sees that MAC address. You can try to make the dACL more watertight but then you must study the traffic flows carefully (DHCP/BOOTP, DNS, TFTP, etc.)</P> <P>That Identity Group gets purged every 24 hours. Enough time to allow someone to re-image a PC. If you got really smart about it, you could integrate your ticketing system (e.g. Service Now) to poke the MAC address into ISE via REST API.</P> Wed, 06 Mar 2024 20:30:23 GMT https://community.cisco.com/t5/network-access-control/new-pc-imagining/m-p/5035353#M587938 Arne Bier 2024-03-06T20:30:23Z https://community.cisco.com/t5/network-access-control/new-pc-imagining/m-p/5035394#M587941 <P>See a similar discussion in the following post. It's an old discussion, but still relevant. Other options you could consider are inserting API calls into build process tree.</P> <P><A href="https://community.cisco.com/t5/network-access-control/pc-imaging-on-nac-secured-ports/td-p/3486098" target="_blank" rel="noopener">PC Imaging on NAC secured ports</A>&nbsp;</P> Wed, 06 Mar 2024 21:37:57 GMT https://community.cisco.com/t5/network-access-control/new-pc-imagining/m-p/5035394#M587941 Greg Gibbs 2024-03-06T21:37:57Z