Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
599
Views
0
Helpful
6
Replies

Authorization policy for new clients deployment

lnw-team
Level 1
Level 1

‎09-06-2023 04:52 AM

Hello, 

I've recently created "MAB Client Installation" authorization policy on Cisco ISE. It has three conditions all of which have to be met in order for the policy to match.

- Network Access: Netwrok Device Name equals xxxxxxx
- Normalised Radius·RadiusFlowType equals WiredMAB
- Radius·NAS-Port-Id equals xxxxxxx

The ports for clients deployment are in a locked room, however, I would like to amend the policy so that it allows only certain MAC addresses. Is that doable? I was trying to achieve that by creating additional group in Work Centers>>Network Access>>ID groups>>Endpoint Identity Groups but I can't add MAC addresses manually. How can we do that and is it possible to provide Service Desk with limited access to Cisco ISE so that they can only modify the list?

Thank you in advance!

0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎09-06-2023 05:18 AM

@lnw-team you can create a MyDevices portal on ISE which the Service Desk can login to, they can then add MAC addresses which will be added to the group you specified (which is referenced in the authorisation rules).

FYI, you can import MAC addresses in bulk using a CSV, which is the better way of importing MAC addresses.

0 Helpful

lnw-team
Level 1
Level 1
In response to Rob Ingram

‎09-06-2023 05:45 AM

Thanks, but is it possible to do it with Endpoint Identity Group as well? IN My Device portal I can add only one device  

0 Helpful

Rob Ingram
VIP
VIP
In response to lnw-team

‎09-06-2023 06:05 AM

@lnw-team the MyDevices portal allows the Service Desk to add a MAC address to the Endpoint Identity Group. You define which group to use as the administrator when configuring that portal. It's not a perfect solution, the preferred method (if you must use MAB) is to bulk import via CSV.

0 Helpful

Y. Yordanov
Cisco Employee
Cisco Employee

‎09-06-2023 06:09 PM

Hey, both of these are possible:

For the service desk with use or RBAC policies:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200891-Understanding-Admin-Access-and-RBAC-Poli.html

For the endpoint group is also viable, if you cannot add them directly from the endpoint group, try from Context Visibility and assign the group manually. From Context Visibility > Endpoints 

Just make sure to make the policy in a way that these endpoint will be going into it.

 

0 Helpful

lnw-team
Level 1
Level 1
In response to Y. Yordanov

‎09-08-2023 12:24 AM

Hello, 

thanks but in the case of Endpoint Identity Groups I cannot just type any MAC address, I need to pick it up from the list. As for "MyDevice" portal, is it possible to create several diffrent portals and allow users to add multiple MAC addresses at once? Also, when there's more than one portal, I need to assign it different  name/IP address. Is that possible with just one ISE deplomeny working in a cluster? 

0 Helpful

lnw-team
Level 1
Level 1
In response to Y. Yordanov

‎09-12-2023 04:17 AM

Hello,

Since via My Devices portal, we can add only one single device, I think it would be better to do that via Context Visibility. 

0 Helpful
Customers Also Viewed These Support Documents