Solved: Cisco ISE wired NAC bypass using MAC

ali007 · ‎04-12-2023

Hi,

the business doesn't want us to use the portal included in ISE for NAC bypass using MAC so wondering is there any other way of doing this i.e. using a script, or Service now integration etc.? or integration with sponsor portal?

Regards

ahollifield · ‎04-13-2023

API is probably your best/most scalable way to do this: https://developer.cisco.com/identity-services-engine/

If you are going to do this with the Sponsor Portal then you might as well just use the regular GUI.

View solution in original post

ahollifield · ‎04-12-2023

To do what exactly? Bypass authentication? Is this wired or wireless? Guest? Something else? Do you mean you don't want to do MAB? Or rely on some other attribute for non-802.1X devices?

https://community.cisco.com/t5/security-knowledge-base/how-to-ask-the-community-for-help/ta-p/3704356

ali007 · ‎04-12-2023

so users whose machine fail to authenticate using NAC (802.1x EAP-TLS), this bypass will provide them temporary access using MAC address.

ahollifield · ‎04-12-2023

So how would the MAC address get added to ISE? Is that what you are asking?

ali007 · ‎04-13-2023

Exactly... I know how its done through ISE GUI but is it possible to either script it using API or integrate serviceNow or ISE sponsor portal etc.?

if so, do you have document that explains this part?

thanks

ahollifield · ‎04-13-2023

API is probably your best/most scalable way to do this: https://developer.cisco.com/identity-services-engine/

If you are going to do this with the Sponsor Portal then you might as well just use the regular GUI.

ali007 · ‎04-17-2023

Hi,

thanks for your help so far. cant seem to find anyone with good scripting skill to utilise API. so came across BYOD portal.. and it ticks all the boxes however I can't seem to find a way to control access to the BYOD portal. Any ideas? can we somehow restrict this portal access to an AD group or perhaps a local ISE user group?

Regards

ahollifield · ‎04-17-2023

How is BYOD portal any different than just going to Context Visibility and manually placing the endpoint in the "bypass" group? Do you mean the My Devices portal?

ali007 · ‎04-17-2023

Hi, yes I meant the device portal. apologies.

ahollifield · ‎04-17-2023

Again though, how is this different than just going to Context Visibility and placing the endpoint in the bypass group? Is the idea that this portal will be used by non-technical users? You can enable AD login to the My Devices portal but you have better RBAC through the regular admin GUI.

ali007 · ‎04-17-2023

yh with devices portal you can capture more information plus the view is better. can you please share the steps on how to enable AD login to Devices porta? been looking from a while now but struggling.

Regards

ahollifield · ‎04-17-2023

Put your Active Directory Join Point here:

Administration -> Device Portal Management -> My Devices -> [select your portal] -> Portal Settings

ali007 · ‎04-18-2023

Hi Mate, thanks once again. wondering what would my policy look like, I have figured this part out. Just don;t know where to start with the policy. as AD Join Point, will allow the entire domain or the groups defined in that domain join point but I want to restrict access to a particular group.

appreciate all your help.

ahollifield · ‎04-18-2023

So if I am understanding your use-case correctly, you would have two Policy Sets. One for 802.1X and one for MAB. In your 802.1X policy you would use conditions to place different enforcement profiles based on AD Group (dACLS, VLANs, etc.). In your MAB policy you would have a condition for your My Devices Whitelist like "Endpoint ID group = [whatever your Endpoint ID group specified in the My Devices Portal]". Then a simple PermitAccess or whatever enforcement you like for this bypass list.

I would also suggest checking out the ISE YouTube content here: https://www.youtube.com/@CiscoISENetworkSecurity