Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
700
Views
1
Helpful
4
Replies

MyDevicePortal with device type customization

Go to solution
rovargas
Cisco Employee
Cisco Employee

‎09-14-2017 05:40 AM

A customer with many factories wants to delegate the MAC address lifecycle to each factory administrator.

They do not want this factory administrators to be ISE admins, but they want to allow them to add/remove MAC addresses whenever they come with a new factory device (non-802.1x obviously).

They planned to use ISE mydeviceportal so that each factory administrator can login and add their new MAC addresses when needed. They want to give them the flexibility of adding different device types, so that each device type have different network access.

As far as we have seen, mydeviceportal statically assigns all devices to an identitygroup (RegisteredDevice by default), so we though on using the "Device name" or "Device description" field in the authorization profile. Unfortunatelly both fields are not available.

Any suggestion on how to solve this scenario?

We though on using API, but we want to check if there is any way using an ISE portal...

Thanks

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to hslai

‎09-18-2017 08:48 AM

Please reach out to our product managers through sales channels to request an IOT type of management portal that would address this

View solution in original post

0 Helpful
4 Replies 4

Go to solution
paul
Level 10
Level 10

‎09-14-2017 05:58 AM

Why not create a custom role in ISE that grants them access to only the Context Visibility->Endpoints screen and gives them read/write access to the Endpoint Identity Groups you want to manage.  Then you train them how to edit MAC addresses on the Context Visibility screen.

The role based administration in ISE is highly flexible.

0 Helpful

Go to solution
rovargas
Cisco Employee
Cisco Employee
In response to paul

‎09-14-2017 06:27 AM

Thanks for the suggestion.

Yes, ISE is very flexible in RBAC terms, but we wanted to simplify the user experience as much as possible and mydeviceportal seems the best way...

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to rovargas

‎09-15-2017 10:16 PM

You are correct that each of mydevices portal assigns endpoints to only one endpoint identity group and other attributes are not exposed for authorization policy evaluations. One way around it is to use multiple portals and each uses a different id group.

Screen Shot 2017-09-16 at 05.10.42.png

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to hslai

‎09-18-2017 08:48 AM

Please reach out to our product managers through sales channels to request an IOT type of management portal that would address this

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents