Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
453
Views
0
Helpful
1
Replies

Cisco ISE 2.2 or 2.3 endpoint management

Go to solution
Richard Lucht
Level 1
Level 1

‎05-23-2018 11:21 AM

I am working with an agency that uses MAC Auth on radius servers that use AD as an identity store.  We plan on moving them to ISE but I am looking at a better way to store their MAC addresses, preferably in ISE.  I just went through and did an import of 12 groups of MAC addresses into ISE.  There are almost 17k mac addresses.

What they have been doing is using netdb to maintain their mac addresses.  They have netdb talk to a SQL server that has policies to take a mac address that for example has not been seen in 60 days it goes to a deny group in AD.  Some are 7 days or 10 years.  depending on the deny group it goes to they get deleted after 1 or 5 years.  Not so concerned with deleting but is there a way I could set up similar rules in ISE that if a MAC did not authenticate or show up in accounting for 60 days or so that I could have it moved to a blacklisted group or a deny group that I create in ISE?

Could we do something with ers?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎05-23-2018 01:42 PM

Hi Richart,

If using AD, you can use that as LDAP server and setup ISE to use MAB to do a LDAP lookup.

If you want to create a rule such as above you can use both Monitoring API to check if the session exists and then

use the ERS API to update the endpoint ID group.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/api_ref_guide/api_ref_book/ise_api_ref_ch1.html

ISE ERS API Examples

You need a script/tool that does this for you on a regular basis

Thanks

Krishnan

View solution in original post

0 Helpful
1 Reply 1

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎05-23-2018 01:42 PM

Hi Richart,

If using AD, you can use that as LDAP server and setup ISE to use MAB to do a LDAP lookup.

If you want to create a rule such as above you can use both Monitoring API to check if the session exists and then

use the ERS API to update the endpoint ID group.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/api_ref_guide/api_ref_book/ise_api_ref_ch1.html

ISE ERS API Examples

You need a script/tool that does this for you on a regular basis

Thanks

Krishnan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents