Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
156
Views
0
Helpful
2
Replies

Cisco ISE Mac vs EntraID

hs08
VIP
VIP

‎10-21-2025 12:32 AM

I want to block unauthorized devices and need input which one is better using mac address filtering or based on microsoft entra ID?

Currently all company devices was joined to the microsoft entra.

In my mind if use microsoft entra as identity then when the devices connect to the network then the devices still can connect to the network if the suer not yet logon to the window. With this situation my goal to prevent unauhtorized device will not fully applied. 

If we use mac filter then when the device connected to the switch then the ise will dediced whether the device will be rejected or not. With this situation if the device is rejected then the unauthorized device will not connect to the network. 

Someone can give me point of view?

0 Helpful
2 Replies 2

Jonatan Jonasson
Level 4
Level 4

‎10-21-2025 01:23 AM

Minimal approach: With all the managed devices, deploy certificates and 802.1x settings and use EAP-TLS certificate based authentication.
This is one of the most basic approaches to ensure only "corporate authorized devices" can connect to the network.

If perhaps you're already doing this for wifi, you can use a similar approach for wired.

Using this approach you can go further at a later stage (eap-chaining, mdm lookups, etc.)

In reality, there are probably a number of other, non-managed, devices that you will need to allow to the network, such as printers, cctv, door systems, etc. that you may need to use Mac-Address-Bypass (MAB) for.
Some do support 802.1x though.

A note regarding using mac-addresses for everything: Not only is it a relatively low security approach, it can easily become a big administrative burden to manage all the mac addresses in the environment.

I recommend starting out with some lab/test devices, and taking a look at all the 802.1x related sessions on ciscolive.com.
There are multiple aspects to authenticating devices to the network that can't be fully covered in a short forum reply.

 

---
Please mark helpful answers & solutions
---
0 Helpful

ahollifield
VIP
VIP

‎10-21-2025 11:48 AM

https://cs.co/ise-berg#entra

0 Helpful
Customers Also Viewed These Support Documents