11-12-2023 06:31 AM
Is it possible to setup ISE to recognize devices for MAB based on the vendor ID part of their mac addresses ?
My company builds robot solutions and uses it's own vendor code. I want to recognize our robot products as the are plugged into the network in our various test and development areas so they get assigned to the test network via NAC & ISE/MAB instead of having to register their mac addresses all the time. Those developers and test guys are busy bees and always in a rush and will plug all kinds of stuff into any outlet they see fit.
11-12-2023 06:36 AM - edited 11-12-2023 06:53 AM
@Redguy yes, you can use the ISE profiling to profile the device based on the MAC OUI and/or other attributes learnt about the device. You can then return a dynamic VLAN or other settings such as DACL to the devices that match your specific profiled devices.
You may need to create a specific profiling policy to match your require MAC OUI (if not built-in to ISE already), you can combine multiple attributes in the policy.
ISE Profiling Guide for more information - https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456#toc-hId--368844690
11-12-2023 06:52 AM
Ah great !,
I haven't reached the profiling part of my ISE training yet, but that will save me a lot of time setting up the test networks.
11-12-2023 02:22 PM
In addition to what Rob mentioned (ISE profiling), you can also achieve this without Profiling. Remember that Profiling requires the medium tier license (Plus/Advantage). If you only have the Base/Essentials license you can create simple MAB Authorization Policy Rules that match on the MAC prefix hex digits. That only consumes a base license.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide