cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2610
Views
10
Helpful
2
Replies

adding MAC prefix within ISE

Jeremy.A.Smith
Level 1
Level 1

We are currently attempting to have internal devices connect to SSID via MAC within ISE; however, I am attempting to configure ISE using just the prefix of the MAC addresses (1st 3 octets) as all of the devices with start with the same prefix. There are hundreds of devices requiring this connection and was wondering if this is possible?

 

ISE version 2.7

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni

however, I am attempting to configure ISE using just the prefix of the MAC addresses (1st 3 octets) as all of the devices with start with the same prefix.

-One option you have would be to rely on device profiling.  Essentially you would profile those devices with some condition (for example MAC:MACAddress STARTSWITH then have the first 3 hex since all the same).  You would then setup the profiler policy to create an identity group which would place your profiled devices in that group.  From there within the radius policies you would utilize this profiled endpoint group as an authz condition + any other conditions you desire for device onboarding.  The catch here is ensuring that the devices meet the MCF and are profiled properly otherwise you may have difficulty.  Lastly, this requires the following licensing (depends on your ISE version):

legacy - plus licensing

new model - advantage licensing

Take a peek here at the following resources:

ISE Licensing Migration Guide (cisco.com)

ISE Profiling Design Guide - Cisco Community

View solution in original post

2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni

however, I am attempting to configure ISE using just the prefix of the MAC addresses (1st 3 octets) as all of the devices with start with the same prefix.

-One option you have would be to rely on device profiling.  Essentially you would profile those devices with some condition (for example MAC:MACAddress STARTSWITH then have the first 3 hex since all the same).  You would then setup the profiler policy to create an identity group which would place your profiled devices in that group.  From there within the radius policies you would utilize this profiled endpoint group as an authz condition + any other conditions you desire for device onboarding.  The catch here is ensuring that the devices meet the MCF and are profiled properly otherwise you may have difficulty.  Lastly, this requires the following licensing (depends on your ISE version):

legacy - plus licensing

new model - advantage licensing

Take a peek here at the following resources:

ISE Licensing Migration Guide (cisco.com)

ISE Profiling Design Guide - Cisco Community

Thank you Mike I will give that a try!