Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1389
Views
70
Helpful
4
Replies

cisco ise license

Go to solution
bluesea2010
Level 5
Level 5

‎03-05-2022 09:51 AM

Hi,

I want to assign  VLAN based on the  vendor, for example, if  the device is apple, need to assign VLAN 10 

What type of license I require.?

 

Also, it is possible to assign a vlan based on the mac address? . And if yes what  type of license require 

 

Thanks

 

 

 

1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-06-2022 01:44 PM

For basic authentication of an endpoint with a VLAN assignment only requires a Base (ISE 2.x) or Essentials (ISE 3.x) license.

> it is possible to assign a vlan based on the mac address

Yes, you have several options :

1) put known endpoints into a static endpoint group and match it by endpoint group

2) performa a string match on the Calling-Station-ID - by OUI or full MAC address - in the authorization rule. Note however that this does not scale very well in your authorization rule or policy set

3) Use endpoint profiling to determine Apple vs other devices. Note that using Profiling uses the Advanced (ISE 2.x) or Advantage (3.x) licenses.

 

View solution in original post

4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-05-2022 09:59 AM

Apple device connects to AP ( WIFI) so you have WLC infrastructure, you need the 802.1X feature for both Wired and Wireless.

 

MAC-based authentication is possible, (it's not secure as a supplicant) if the device support supplicant, then use 802.1X supplicant authentication, Some device you can not install like Phone they can use MAC based authentication, but that is possible.

 

Coming to License look at below essential License :

 

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/qa-c67-744190.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Rob Ingram
VIP
VIP

‎03-05-2022 10:31 AM

@bluesea2010 Use profiling to determine the endpoint is an "apple" device. You can then use this information when creating your authorisation rule, to specifically match that type of device and apply the specific VLAN. For profiling enforcement you will need the ISE Advantage license.

 

Alternatively you could statically defiine the apple device MAC addresses in an identity group and reference that in the authorisation rule, though there is manual effort there to setup and maintain.

Go to solution
imanv
Level 1
Level 1

‎03-05-2022 11:44 AM

@bluesea2010 wrote:

Hi,

I want to assign  VLAN based on the  vendor, for example, if  the device is apple, need to assign VLAN 10 

What type of license I require.?

Based on the following Cisco guide (Table 1), you need Profiling feature and you need Advantage Licenses.

 

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html

 

@bluesea2010 wrote:

Also, it is possible to assign a vlan based on the mac address? . And if yes what  type of license require

Yes, An OUI is the first 6 hexadecimal digits of a MAC address and identifies the vendor that produced the NIC. There is also alot of predefined profiles in ISE to help device profiling based on MAC and other factors.

 

Please rate if this answer was helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-06-2022 01:44 PM

For basic authentication of an endpoint with a VLAN assignment only requires a Base (ISE 2.x) or Essentials (ISE 3.x) license.

> it is possible to assign a vlan based on the mac address

Yes, you have several options :

1) put known endpoints into a static endpoint group and match it by endpoint group

2) performa a string match on the Calling-Station-ID - by OUI or full MAC address - in the authorization rule. Note however that this does not scale very well in your authorization rule or policy set

3) Use endpoint profiling to determine Apple vs other devices. Note that using Profiling uses the Advanced (ISE 2.x) or Advantage (3.x) licenses.

 

Customers Also Viewed These Support Documents