cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

86
Views
0
Helpful
1
Replies
Cisco Employee

Cisco ISE AAA Policy

Hi team,

 

Our customer is asking us AAA policy as below: only "domain user + MAC address" can access to their internal network.

 

Can ISE support the combined the condition like that? We are using the ISE 2.4 Patch 8.

 

Highly appreciated for your quick support. thanks in advanced.

 

Br,

hainm

 

 

1 REPLY 1
Rising star

Re: Cisco ISE AAA Policy

Yes, if they are doing 802.1x to authenticate the domain user, you can check AD group membership and also in the same policy require the endpoint MAC address to be defined or part of a group.


Example AuthZ policy:  If AD Group = Domain Users AND Endpoint Identity Group = Whitelist (or whatever you want to call it) then permit access.