05-23-2018 11:21 AM
I am working with an agency that uses MAC Auth on radius servers that use AD as an identity store. We plan on moving them to ISE but I am looking at a better way to store their MAC addresses, preferably in ISE. I just went through and did an import of 12 groups of MAC addresses into ISE. There are almost 17k mac addresses.
What they have been doing is using netdb to maintain their mac addresses. They have netdb talk to a SQL server that has policies to take a mac address that for example has not been seen in 60 days it goes to a deny group in AD. Some are 7 days or 10 years. depending on the deny group it goes to they get deleted after 1 or 5 years. Not so concerned with deleting but is there a way I could set up similar rules in ISE that if a MAC did not authenticate or show up in accounting for 60 days or so that I could have it moved to a blacklisted group or a deny group that I create in ISE?
Could we do something with ers?
Solved! Go to Solution.
05-23-2018 01:42 PM
Hi Richart,
If using AD, you can use that as LDAP server and setup ISE to use MAB to do a LDAP lookup.
If you want to create a rule such as above you can use both Monitoring API to check if the session exists and then
use the ERS API to update the endpoint ID group.
You need a script/tool that does this for you on a regular basis
Thanks
Krishnan
05-23-2018 01:42 PM
Hi Richart,
If using AD, you can use that as LDAP server and setup ISE to use MAB to do a LDAP lookup.
If you want to create a rule such as above you can use both Monitoring API to check if the session exists and then
use the ERS API to update the endpoint ID group.
You need a script/tool that does this for you on a regular basis
Thanks
Krishnan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide