Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Add New MAC Address for MAB on Identity Groups

Hi Guys,


I want to add new MAC address to Endpoint Identity Groups to my ISE, so my IP phone can bypass dot1x authentication process via MAB. The thing is, I was unable to add the new MAC address since it is not on the available list, even though the IP phone is already connected to the network for more than 1 month. And I could not find a way to add that MAC address to the list. Below is the exhibit of what I found.

Endpoint Identity Groups.JPG

Is there any way I can add MAC address so it can be found on the list?


I found a workaround by connecting the IP phone to a port where dot1x is active. This way, the MAC can be found on the list because it was challenged for authentication. But I find it is not practical since I have hundreds of IP phone to be registered.


Thank you.


Accepted Solutions

Yes it is possible: go to context visibility -endpoints and paste the mac address . It must be there ,than edit and choose the group you want to add. Than in live logs you can see it is successful authenticated via mab

View solution in original post

Damien Miller
VIP Advisor

You can manually import device mac addresses in to the context visibility database and assign them to a static whitelist, but I think you might be going about this the hard way.

You mention that the device does not show up in ISE until you plug it in to a port with dot1x enabled. Your phones should be connected to switchports that have dot1x and mab enabled. This way when the phone is powered on, the switch attempts dot1x, it fails, you then authenticate the device via MAB. If you have the available licensing (plus), then IP phones are ideal candidates for profiling. ISE learns that the devices is an IP phone, it authenticates it via MAB, and then authorizes it in to the voice vlan against a policy set rule for phones.

If you are plugging your phones in to ports without authentication enabled you don't need to authenticate them, I suspect you do want to authenticate them which has me questioning what's going on with your config. You do not add endpoint mac addresses within the window you linked, you create custom identify groups there, you modify an endpoint's membership from the context visibility endpoint database here.


You map the identity groups within your mab authentication policy set rules.  Add the device to the group either via profiling or statically like in the screenshot below.  


Hi Damien,


I have a plan to deploy dot1x authentication on my wired connection, so only laptops with my company's certificate can connect to LAN. But, we have some IP phones and video conference devices that do not have such certificate, and a workaround is a must. My understanding was, if I add those MAC addresses to the endpoint identity groups, the MAB will "authenticate" them. And the extra port on the IP phone can authenticate end devices with my company's certificate.

Hi,again . What kind of IP phones you have in your deployment??If they are Cisco Phones you can authenticate them with Dot1x


Yes it is possible: go to context visibility -endpoints and paste the mac address . It must be there ,than edit and choose the group you want to add. Than in live logs you can see it is successful authenticated via mab

View solution in original post

Hi Ognyan,


This is exactly what I've been looking for the past few days. Thanks.

You can bulk import using the template:

WorkCentre > Network Access > Identities > Endpoints.

Add one mac address to the database and then export it to see the format or when you do import endpoints from CSV, you can generate the template and add MAC addresses and other details in 1 go.(Screenshots attached)




Hope that helps.





I am trying to ADD new MAC address into Identity group 

May i know if import using the template, wht are the fields that shld ONLY fill in? I am thinking of MACaddress and IdentityGroupAssignment only.

Will the ISE  later change the device PolicyAssignment to Avaya-Device(this is the one detected by default if not added manually)? Does this really matter?

Hi @getaway51 


The fields that you require are as below:




Description is optional however as a good practice to fill it for user identification (like if static IP assignment, or location of connection, serial number etc).

In the MAC address/Username, you can enter the MAC address without the formatting as well.


Like: xxxxxxxxxx or xx-xx-xx-xx-xx-xx or xx:xx:xx:xx:xx:xx, but I always prefer to use the : as a delimiter.


Hope that helps.

Content for Community-Ad