Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
924
Views
0
Helpful
5
Replies

API to add an endpoint MAC address to an Identity Group

network_geek1979
Level 1
Level 1

‎08-29-2022 07:50 AM - edited ‎08-29-2022 07:58 AM

Folks,
What we are looking for is adding a MAC address as an endpoint to an already existing Identity Group.
However, what we are looking at is some kind of NT authentication from the end user to add the MAC address to the Group.

i.e. we will write a script and provide that script to the end user. The end user needs to run the script which will add the MAC address to this Identity Group. The script will not run till the end user has entered his correct NT credentials.

The other requirement we are looking at is, after the end user has run this script can the ISE provide another policy for the end user to go to another VLAN?

 

Regards,
N!

0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎08-29-2022 08:03 AM

@network_geek1979 create a python script to create the endpoint in the specific endpoint identity group. In the script prompt for a username and password, this user account would need to be a member of the ISE group "ERS Admin".

0 Helpful

network_geek1979
Level 1
Level 1
In response to Rob Ingram

‎08-29-2022 08:08 AM

Hi Rob, thanks for your response.
The reason I am trying to do this is to ensure end users can re-image their Laptop with best experience.

This may need adding all the users to the ERS Admin group, and then maybe end users will also be able to run some other API's.
Is that a correct understanding?

This will just expose a risk.

It will not work without the Python?


Regards,

N!

0 Helpful

Rob Ingram
VIP
VIP
In response to network_geek1979

‎08-29-2022 08:13 AM

@network_geek1979 I wouldn't give ERS admin rights to normal users. I think you should consider other options.

If the users are re-imaging their laptops does that mean the devices are not joined to an AD domain and BYOD?

You could get the users to connect to a BYOD portal to enroll a certificate or just give them a CWA portal to authenticate to.

0 Helpful

network_geek1979
Level 1
Level 1
In response to Rob Ingram

‎08-29-2022 10:47 AM

Hi Rob,
Yes, you are correct. The devices are not joined to the AD and they do not have the certificate.
In order to download the user certificate can we add some MFA with some Identity provider?

Can you guide me to some documents on the BYOD portal and the CWA portal?


Regards,
N!

0 Helpful

Rob Ingram
VIP
VIP
In response to network_geek1979

‎08-29-2022 10:51 AM

@network_geek1979 you could probably setup some MFA on the web portal, it depends on what provider you have. Normally you just point to an AD or LDAP server. Here is the cisco BYOD guide. https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents