cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2229
Views
0
Helpful
13
Replies

Cisco ISE wired NAC bypass using MAC

ali007
Level 1
Level 1

Hi,

the business doesn't want us to use the portal included in ISE for NAC bypass using MAC so wondering is there any other way of doing this i.e. using a script, or Service now integration etc.? or integration with sponsor portal?

 

 

Regards

1 Accepted Solution

Accepted Solutions

API is probably your best/most scalable way to do this: https://developer.cisco.com/identity-services-engine/

If you are going to do this with the Sponsor Portal then you might as well just use the regular GUI.

View solution in original post

13 Replies 13

To do what exactly?  Bypass authentication?  Is this wired or wireless?  Guest?  Something else?  Do you mean you don't want to do MAB?  Or rely on some other attribute for non-802.1X devices?

https://community.cisco.com/t5/security-knowledge-base/how-to-ask-the-community-for-help/ta-p/3704356

ali007
Level 1
Level 1

so users whose machine fail to authenticate using NAC (802.1x EAP-TLS), this bypass will provide them temporary access using MAC address.

So how would the MAC address get added to ISE?  Is that what you are asking?   

Exactly... I know how its done through ISE GUI but is it possible to either script it using API or integrate serviceNow or ISE sponsor portal etc.?

if so, do you have document that explains this part?

 

thanks

API is probably your best/most scalable way to do this: https://developer.cisco.com/identity-services-engine/

If you are going to do this with the Sponsor Portal then you might as well just use the regular GUI.

Hi,

 

thanks for your help so far. cant seem to find anyone with good scripting skill to utilise API. so came across BYOD portal.. and it ticks all the boxes however I can't seem to find a way to control access to the BYOD portal. Any ideas? can we somehow restrict this portal access to an AD group or perhaps a local ISE user group?

 

 

Regards

How is BYOD portal any different than just going to Context Visibility and manually placing the endpoint in the "bypass" group?  Do you mean the My Devices portal?

Hi, yes I meant the device portal. apologies.

Again though, how is this different than just going to Context Visibility and placing the endpoint in the bypass group?  Is the idea that this portal will be used by non-technical users?  You can enable AD login to the My Devices portal but you have better RBAC through the regular admin GUI.

yh with devices portal you can capture more information plus the view is better.  can you please share the steps on how to enable AD login to Devices porta? been looking from a while now but struggling.

 

Regards

Put your Active Directory Join Point here:

ahollifield_0-1681743688867.png

Administration -> Device Portal Management -> My Devices -> [select your portal] -> Portal Settings

 

Hi Mate, thanks once again. wondering what would my policy look like, I have figured this part out. Just don;t know where to start with the policy. as AD Join Point, will allow the entire domain or the groups defined in that domain join point but I want to restrict access to a particular group.

 

appreciate all your help.

So if I am understanding your use-case correctly, you would have two Policy Sets.  One for 802.1X and one for MAB.  In your 802.1X policy you would use conditions to place different enforcement profiles based on AD Group (dACLS, VLANs, etc.).  In your MAB policy you would have a condition for your My Devices Whitelist like "Endpoint ID group = [whatever your Endpoint ID group specified in the My Devices Portal]".  Then a simple PermitAccess or whatever enforcement you like for this bypass list.

I would also suggest checking out the ISE YouTube content here: https://www.youtube.com/@CiscoISENetworkSecurity