cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

128
Views
0
Helpful
1
Replies
Beginner

Cisco ISE 2.2 or 2.3 endpoint management

I am working with an agency that uses MAC Auth on radius servers that use AD as an identity store.  We plan on moving them to ISE but I am looking at a better way to store their MAC addresses, preferably in ISE.  I just went through and did an import of 12 groups of MAC addresses into ISE.  There are almost 17k mac addresses.

What they have been doing is using netdb to maintain their mac addresses.  They have netdb talk to a SQL server that has policies to take a mac address that for example has not been seen in 60 days it goes to a deny group in AD.  Some are 7 days or 10 years.  depending on the deny group it goes to they get deleted after 1 or 5 years.  Not so concerned with deleting but is there a way I could set up similar rules in ISE that if a MAC did not authenticate or show up in accounting for 60 days or so that I could have it moved to a blacklisted group or a deny group that I create in ISE?

Could we do something with ers?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Cisco ISE 2.2 or 2.3 endpoint management

Hi Richart,

If using AD, you can use that as LDAP server and setup ISE to use MAB to do a LDAP lookup.

If you want to create a rule such as above you can use both Monitoring API to check if the session exists and then

use the ERS API to update the endpoint ID group.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/api_ref_guide/api_ref_book/ise_api_ref_ch1.html

ISE ERS API Examples

You need a script/tool that does this for you on a regular basis

Thanks

Krishnan

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee

Re: Cisco ISE 2.2 or 2.3 endpoint management

Hi Richart,

If using AD, you can use that as LDAP server and setup ISE to use MAB to do a LDAP lookup.

If you want to create a rule such as above you can use both Monitoring API to check if the session exists and then

use the ERS API to update the endpoint ID group.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/api_ref_guide/api_ref_book/ise_api_ref_ch1.html

ISE ERS API Examples

You need a script/tool that does this for you on a regular basis

Thanks

Krishnan

View solution in original post