This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
A customer with many factories wants to delegate the MAC address lifecycle to each factory administrator.
They do not want this factory administrators to be ISE admins, but they want to allow them to add/remove MAC addresses whenever they come with a new factory device (non-802.1x obviously).
They planned to use ISE mydeviceportal so that each factory administrator can login and add their new MAC addresses when needed. They want to give them the flexibility of adding different device types, so that each device type have different network access.
As far as we have seen, mydeviceportal statically assigns all devices to an identitygroup (RegisteredDevice by default), so we though on using the "Device name" or "Device description" field in the authorization profile. Unfortunatelly both fields are not available.
Any suggestion on how to solve this scenario?
We though on using API, but we want to check if there is any way using an ISE portal...
Solved! Go to Solution.
Why not create a custom role in ISE that grants them access to only the Context Visibility->Endpoints screen and gives them read/write access to the Endpoint Identity Groups you want to manage. Then you train them how to edit MAC addresses on the Context Visibility screen.
The role based administration in ISE is highly flexible.
Thanks for the suggestion.
Yes, ISE is very flexible in RBAC terms, but we wanted to simplify the user experience as much as possible and mydeviceportal seems the best way...
You are correct that each of mydevices portal assigns endpoints to only one endpoint identity group and other attributes are not exposed for authorization policy evaluations. One way around it is to use multiple portals and each uses a different id group.