09-06-2023 04:52 AM
Hello,
I've recently created "MAB Client Installation" authorization policy on Cisco ISE. It has three conditions all of which have to be met in order for the policy to match.
- Network Access: Netwrok Device Name equals xxxxxxx
- Normalised Radius·RadiusFlowType equals WiredMAB
- Radius·NAS-Port-Id equals xxxxxxx
The ports for clients deployment are in a locked room, however, I would like to amend the policy so that it allows only certain MAC addresses. Is that doable? I was trying to achieve that by creating additional group in Work Centers>>Network Access>>ID groups>>Endpoint Identity Groups but I can't add MAC addresses manually. How can we do that and is it possible to provide Service Desk with limited access to Cisco ISE so that they can only modify the list?
Thank you in advance!
09-06-2023 05:18 AM
@lnw-team you can create a MyDevices portal on ISE which the Service Desk can login to, they can then add MAC addresses which will be added to the group you specified (which is referenced in the authorisation rules).
FYI, you can import MAC addresses in bulk using a CSV, which is the better way of importing MAC addresses.
09-06-2023 05:45 AM
Thanks, but is it possible to do it with Endpoint Identity Group as well? IN My Device portal I can add only one device
09-06-2023 06:05 AM
@lnw-team the MyDevices portal allows the Service Desk to add a MAC address to the Endpoint Identity Group. You define which group to use as the administrator when configuring that portal. It's not a perfect solution, the preferred method (if you must use MAB) is to bulk import via CSV.
09-06-2023 06:09 PM
Hey, both of these are possible:
For the service desk with use or RBAC policies:
For the endpoint group is also viable, if you cannot add them directly from the endpoint group, try from Context Visibility and assign the group manually. From Context Visibility > Endpoints
Just make sure to make the policy in a way that these endpoint will be going into it.
09-08-2023 12:24 AM
Hello,
thanks but in the case of Endpoint Identity Groups I cannot just type any MAC address, I need to pick it up from the list. As for "MyDevice" portal, is it possible to create several diffrent portals and allow users to add multiple MAC addresses at once? Also, when there's more than one portal, I need to assign it different name/IP address. Is that possible with just one ISE deplomeny working in a cluster?
09-12-2023 04:17 AM
Hello,
Since via My Devices portal, we can add only one single device, I think it would be better to do that via Context Visibility.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide