Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1811
Views
5
Helpful
6
Replies

bound guest user with mac address in cisco ise

Elbeshti1
Level 1
Level 1

‎04-08-2022 07:54 PM

hi

i have question about how to bound guest users with their mac address as we have already more than 1000 guest user that already provisioned in "Workstation" identity group, also i create a new identity group named "Guest 2022".

 

also we use ASA SSL VPN (Web VPN) instead of ISE Guest User Portal and it's difficult to force guest user to register their device again.

  Any HELP ?

0 Helpful
6 Replies 6

Arne Bier
VIP
VIP

‎04-10-2022 09:22 PM

Hi @Elbeshti1 

 

Not sure I follow your exact requirement, but are you saying that you want to perform MAB for a bunch of endpoints whose MAC addresses exist in a named Endpoint Identity Group.  If so, then of course this is just a simple Authentication check against the Internal Endpoints, and then a successful Authorization if the Endpoint is in that Endpoint Identity Group.

You need to be more specific about your ISE Policy Set config. And, is this wired or wireless, etc.?  Has the NAD been configured for MAB already?

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎04-15-2022 11:47 AM

I agree with @Arne Bier , it is not clear what you are trying to do.

I do not understand what a VPN has to do with guest access - these are completely different scenarios.

MAC authentication is not the recommended way to do Guest authentication.

Putting MAC addresses into endpoint identity groups is more appropriate for managed assets or IOT devices.

Please be specific about the exact scenario you want to enable and if something is not working as expected, please share the necessary configurations from the components involved (endpoint, network device, ISE, etc.) as explained in How to Ask The Community for Help 

0 Helpful

Elbeshti1
Level 1
Level 1
In response to thomas

‎04-15-2022 04:27 PM

hi

we use SSL AnyConnect With ISE Authentication as showed in the link below: 

https://www.youtube.com/watch?v=499W8sHYn-I

instead of using an internal user in policy set rule we use guest user

my question is how bind the mac address of each guest user with his username ??

 

 
0 Helpful

thomas
Cisco Employee
Cisco Employee
In response to Elbeshti1

‎04-15-2022 04:48 PM

I do not understand why "guest users" are using VPN.

> how bind the mac address of each guest user with his username??

If you want to bind a username to a MAC address, you would need to do that with an external identity store and compare the RADIUS Calling-Station-ID (user's MAC address) to an attribute of the user in the identity store.

Alternatively, you could do it with ISE internal users and store the bound MAC address in the Internal User Custom Attributes ("GuestMAC" for example).

image.png

And the policy looks like this:

image.png

0 Helpful

Arne Bier
VIP
VIP
In response to Elbeshti1

‎04-16-2022 01:40 AM

When the user connects via SSL VPN, take a look at the Calling Station ID attribute that comes to ISE with the access request. That is the closest you’ll get to a MAC address. 

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎04-19-2022 05:31 PM

For RA-VPN, the calling-station-ID is the public IP of the endpoint but NOT the mac address. If macOS or Windows endpoints using AnyConnect to connect to ASA or FTD head-ends, the VPN client module gathers the mac addresses and send them over to ISE via the head-ends so ISE may authorize the endpoints based on the endpoint attributes. Thus, I would suggest creating a custom attribute for the user owner, unless an exiting attribute has the info.

Customers Also Viewed These Support Documents