Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2609
Views
10
Helpful
2
Replies

adding MAC prefix within ISE

Go to solution
Jeremy.A.Smith
Level 1
Level 1

‎01-14-2022 09:00 AM

We are currently attempting to have internal devices connect to SSID via MAC within ISE; however, I am attempting to configure ISE using just the prefix of the MAC addresses (1st 3 octets) as all of the devices with start with the same prefix. There are hundreds of devices requiring this connection and was wondering if this is possible?

 

ISE version 2.7

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-14-2022 09:34 AM

however, I am attempting to configure ISE using just the prefix of the MAC addresses (1st 3 octets) as all of the devices with start with the same prefix.

-One option you have would be to rely on device profiling.  Essentially you would profile those devices with some condition (for example MAC:MACAddress STARTSWITH then have the first 3 hex since all the same).  You would then setup the profiler policy to create an identity group which would place your profiled devices in that group.  From there within the radius policies you would utilize this profiled endpoint group as an authz condition + any other conditions you desire for device onboarding.  The catch here is ensuring that the devices meet the MCF and are profiled properly otherwise you may have difficulty.  Lastly, this requires the following licensing (depends on your ISE version):

legacy - plus licensing

new model - advantage licensing

Take a peek here at the following resources:

ISE Licensing Migration Guide (cisco.com)

ISE Profiling Design Guide - Cisco Community

View solution in original post

2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-14-2022 09:34 AM

however, I am attempting to configure ISE using just the prefix of the MAC addresses (1st 3 octets) as all of the devices with start with the same prefix.

-One option you have would be to rely on device profiling.  Essentially you would profile those devices with some condition (for example MAC:MACAddress STARTSWITH then have the first 3 hex since all the same).  You would then setup the profiler policy to create an identity group which would place your profiled devices in that group.  From there within the radius policies you would utilize this profiled endpoint group as an authz condition + any other conditions you desire for device onboarding.  The catch here is ensuring that the devices meet the MCF and are profiled properly otherwise you may have difficulty.  Lastly, this requires the following licensing (depends on your ISE version):

legacy - plus licensing

new model - advantage licensing

Take a peek here at the following resources:

ISE Licensing Migration Guide (cisco.com)

ISE Profiling Design Guide - Cisco Community

Go to solution
Jeremy.A.Smith
Level 1
Level 1
In response to Mike.Cifelli

‎01-14-2022 09:36 AM

Thank you Mike I will give that a try! 

 

0 Helpful
Customers Also Viewed These Support Documents