Re: Configure ISE MAB to allow devices on vendor ID part of mac addres

Redguy · ‎11-12-2023

Is it possible to setup ISE to recognize devices for MAB based on the vendor ID part of their mac addresses ?

My company builds robot solutions and uses it's own vendor code. I want to recognize our robot products as the are plugged into the network in our various test and development areas so they get assigned to the test network via NAC & ISE/MAB instead of having to register their mac addresses all the time. Those developers and test guys are busy bees and always in a rush and will plug all kinds of stuff into any outlet they see fit.

Rob Ingram · ‎11-12-2023

@Redguy yes, you can use the ISE profiling to profile the device based on the MAC OUI and/or other attributes learnt about the device. You can then return a dynamic VLAN or other settings such as DACL to the devices that match your specific profiled devices.

You may need to create a specific profiling policy to match your require MAC OUI (if not built-in to ISE already), you can combine multiple attributes in the policy.

ISE Profiling Guide for more information - https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456#toc-hId--368844690

Redguy · ‎11-12-2023

Ah great !,

I haven't reached the profiling part of my ISE training yet, but that will save me a lot of time setting up the test networks.

Arne Bier · ‎11-12-2023

In addition to what Rob mentioned (ISE profiling), you can also achieve this without Profiling. Remember that Profiling requires the medium tier license (Plus/Advantage). If you only have the Base/Essentials license you can create simple MAB Authorization Policy Rules that match on the MAC prefix hex digits. That only consumes a base license.

Configure ISE MAB to allow devices on vendor ID part of mac address ?