cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

113
Views
1
Helpful
4
Replies
Cisco Employee

MyDevicePortal with device type customization

A customer with many factories wants to delegate the MAC address lifecycle to each factory administrator.

They do not want this factory administrators to be ISE admins, but they want to allow them to add/remove MAC addresses whenever they come with a new factory device (non-802.1x obviously).

They planned to use ISE mydeviceportal so that each factory administrator can login and add their new MAC addresses when needed. They want to give them the flexibility of adding different device types, so that each device type have different network access.

As far as we have seen, mydeviceportal statically assigns all devices to an identitygroup (RegisteredDevice by default), so we though on using the "Device name" or "Device description" field in the authorization profile. Unfortunatelly both fields are not available.

Any suggestion on how to solve this scenario?

We though on using API, but we want to check if there is any way using an ISE portal...

Thanks

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: MyDevicePortal with device type customization

Please reach out to our product managers through sales channels to request an IOT type of management portal that would address this

4 REPLIES 4
VIP Engager

Re: MyDevicePortal with device type customization

Why not create a custom role in ISE that grants them access to only the Context Visibility->Endpoints screen and gives them read/write access to the Endpoint Identity Groups you want to manage.  Then you train them how to edit MAC addresses on the Context Visibility screen.

The role based administration in ISE is highly flexible.

Cisco Employee

Re: MyDevicePortal with device type customization

Thanks for the suggestion.

Yes, ISE is very flexible in RBAC terms, but we wanted to simplify the user experience as much as possible and mydeviceportal seems the best way...

Cisco Employee

Re: MyDevicePortal with device type customization

You are correct that each of mydevices portal assigns endpoints to only one endpoint identity group and other attributes are not exposed for authorization policy evaluations. One way around it is to use multiple portals and each uses a different id group.

Screen Shot 2017-09-16 at 05.10.42.png

Highlighted
Cisco Employee

Re: MyDevicePortal with device type customization

Please reach out to our product managers through sales channels to request an IOT type of management portal that would address this