cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1498
Views
0
Helpful
8
Replies
Beginner

MAC address whitelist

Hi!

 

Cisco ISE version 2.4.

 

I have created a Endpoint identity group name whitelist and then added the few MAC address in it. The plan is to use this as whitelist of few devices we have. I created policy authorization policy for it.

 

Radius:Calling-Station-ID MAC_IN Whitelist. 

 

This works but when I tried for another MAC with same way then it didnt work and after weekend the computer that was working is not getting the policy and its going to default deny policy.

 

It was kind of suprising but then I looks like I used a policy as below for MAC address and as that MAC address was authenticated with below policy then it worked for whitelist policy but once is cache is expired then its not working.

Radius: calling-Station-ID EQUALS 5c-5f-67-c8-58-7f

 

I looked into the documentation below and my understanding is that as the MAC was authenticated with above policy then it i worked for MAC_IN policy for some time and after expiration it didnt work.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010010.html

 

 

Now I enabled 

Radius: calling-Station-ID EQUALS 5c-5f-67-c8-58-7f

and then disabled it and now below is working.

Radius:Calling-Station-ID MAC_IN Whitelist. 

 

I only want that if MAC exist in Whitelist should be authorize. 

 

Thanks for your suggestion and help in this.

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Re: MAC address whitelist

Hi, 

You can create a authz rule like IdentityGroup Name EQUALS Endpoint Identity Groups:ABC then vlan 20.

Then you can add the required mac address in ABC identity group Administration> Identity management > Groups > Endpoint Identity group > ABC

 

-Aravind

-Aravind
8 REPLIES 8
Beginner

Re: MAC address whitelist

Hi,

 

why dont you  create a profiling group and add the mac address, this will allow you to add multiple mac addresses whenever its needed

Beginner

Re: MAC address whitelist

Hi!

 

The issue with that is let say if I profile for Huwai phones then anyone from outside with that model or vendor can join it as I have open SSID.

 

Right now I have 10 devices so I can use MAC address as restriction. I know its not sure but thats the best thing I have in mind and quick solution as well.

 

Thanks

Highlighted
Beginner

Re: MAC address whitelist

Right now I just need a Authz rule for 

If mac-address in Identity group ABC then allow vlan 20

 

 

Re: MAC address whitelist

Hi, 

You can create a authz rule like IdentityGroup Name EQUALS Endpoint Identity Groups:ABC then vlan 20.

Then you can add the required mac address in ABC identity group Administration> Identity management > Groups > Endpoint Identity group > ABC

 

-Aravind

-Aravind
Beginner

Re: MAC address whitelist

I tried this kind of option. The problem with this is that if this condition will become true and it will in any case then it will allow the access automatically.

 

IdentityGroup Name EQUALS Endpoint Identity Groups:ABC

 

As I see the logic is that if there is matching ABC endpoint group exist then Authorize VLAN. It will not check the MAC address in side. 

Cisco Employee

Re: MAC address whitelist


As I see the logic is that if there is matching ABC endpoint group exist then Authorize VLAN. It will not check the MAC address in side. 


It does not work that way. The endpoint needs assigned to the endpoint group for the condition to hold true.

Beginner

Re: MAC address whitelist

ok. I did test but not sure I did see Auth succesful and then thought it shouldnt be that way. Auth will be a success as the MAC exist as internal endpoint. I am pretty sure you guys have tested it :).

Just need to double check this for AuthZ. 

 

 

 

Cisco Employee

Re: MAC address whitelist


 ... and as that MAC address was authenticated with below policy then it worked for whitelist policy but once is cache is expired then its not working. ...

 


You might run into either CSCvi73782 or CSCvk55076.