Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2366
Views
7
Helpful
9
Replies

can i disable auto discovery endpoints in ISE ?

Go to solution
sbmc014
Level 4
Level 4

‎05-23-2018 12:27 AM

when i connect my laptop on switch in ISE environment , it will be auto discovery via ISE , and list in Home-->summary-->total endpoints :

home summary endpoints.jpg

and put this MAC entry in table :

put mac in list.jpg

When i test 802.1x MACauth via ISE , it always pass due to this MAC existed , any possible i can disable auto discovery endpoints MAC function ? ISE version is 2.4.0

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to ognyan.totev

‎05-23-2018 04:18 AM

You cannot disable the discovery, but if goal is to only allow access to endpoints explicitly assigned to an access group, then you can go to Administration > Identity Management > Groups > Endpoint Identity Groups to add, import (via file/LDAP) MAD addresses into the desired group for policy assignment.  You can also use ERS API to update the endpointd and group memberships.

Note that an given MAC address can belong to only one Endpoint Identity Group at a time, so may be worth looking into Custom Attributes if wish endpoints to belong to multiple classifications for policy assignment.

View solution in original post

9 Replies 9

Go to solution
ognyan.totev
Level 5
Level 5

‎05-23-2018 01:02 AM

When you connect to the switch and start radius session ISE will learn the mac address. How you configured the switch

there maybe SNMP configuration too it can learn the mac address from there too.And i think it is necessary all of this for profiling in ISE . And it will not passes if your rules are configured correctly .

Go to solution
sbmc014
Level 4
Level 4
In response to ognyan.totev

‎05-23-2018 01:19 AM

thanks for your reply , can you give me some advise for how to setting correct configration for MAC auth via

0 Helpful

Go to solution
ognyan.totev
Level 5
Level 5

‎05-23-2018 01:38 AM

First explain what you want to do ? Show us switch configuration ,show how you create policy ,Authentication and authorization .

0 Helpful

Go to solution
sbmc014
Level 4
Level 4
In response to ognyan.totev

‎05-23-2018 03:35 AM

thanks for your reply , my laptop MAC will be auto discovery in unknown list :

mac in unknow list.jpg

and MAC-auth will pass if this MAC existed on this table , and i cannot remove it manually .

Authentication policy like this :

authentication policy.jpg

authorization policy like this :

policy set 20180523.jpg

in my opinion , it should some table that i can maintain (keyin MACs that want to authenticated ) , but i cannot find where is it ? Or other configurations i need to adjust ?


0 Helpful

Go to solution
ognyan.totev
Level 5
Level 5

‎05-23-2018 03:41 AM

Yes i am pretty sure it hits basic network access ,first of all disconnect your laptop from switch second delete endpoint mac address from context visibility ,than reconnect your laptop to switch and see what happen .I never use this rule and in mine deployment i disable it .I prefer mine rules nor default ones.

Go to solution
Craig Hyps
Level 10
Level 10
In response to ognyan.totev

‎05-23-2018 04:18 AM

You cannot disable the discovery, but if goal is to only allow access to endpoints explicitly assigned to an access group, then you can go to Administration > Identity Management > Groups > Endpoint Identity Groups to add, import (via file/LDAP) MAD addresses into the desired group for policy assignment.  You can also use ERS API to update the endpointd and group memberships.

Note that an given MAC address can belong to only one Endpoint Identity Group at a time, so may be worth looking into Custom Attributes if wish endpoints to belong to multiple classifications for policy assignment.

Go to solution
sbmc014
Level 4
Level 4
In response to Craig Hyps

‎05-23-2018 11:38 PM

thanks for your reply , after i checked logs , endpoint profile is  "unknown" , and everytime PC/NB connect on this environment , the MAC will auto discovery and list on this profile :

endpoint profile.jpg

may i adjust it to another profile ? like "workstation" or "profiled" , if yes , where is configuration i should modify ?

endpoint profiled and workstation.jpg

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to sbmc014

‎05-24-2018 04:16 AM

No you cannot

Would recommend if you’re so concerned with this you disable default authorization rule for authenticated that comes on out of box

Recommendation is to authenticate all but then put an authorization for those you don’t want to allow that redirects them to a portal page with insurrections and gives them limited access

Then only authorize with more access those groups you have built manually perhaps?

If valid group then permit access full?

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to sbmc014

‎05-24-2018 05:43 AM

In the absence of an explicit ID group assignment, endpoints will have a default ID Group assigned based on its profile status.  If end does not match a known profile, it is assigned a group of Unknown.  If it matches a known profile, it is assigned a group of Profiled.  If enable profile to "Create Matching Identity Group", it will then be assigned to an Identity Group based on Profile name.

In your case, if wish these endpoints to be granted or denied access, then assign them to a specific ID group and ignore profile.

Craig

0 Helpful
Customers Also Viewed These Support Documents