Solved: Re: Endpoint registration via GUI/portal or whatever

Olivier Jessel · ‎07-19-2019

Dear all,

I recently deployed ISE 2.6 in a dispersed mode, and until now everything runs smoothly.

I have a requirement from business about giving access to the LAN to some "unmanaged and exotic" devices like scanners/3d printers, and so on...

Most of these just don't support dot1x or CWA, and they are also on the network only for a few days/weeks, during staging phase.

I am looking for a friendly way for the enduser to register these devices with their MAC addresses on the ISE, into the correct endpoints' group. Else, the security team can be surrounded from requests every day...

Any idea how to achieve that ? or maybe a different approach?

Thanks for your help ;)

CCIE #44658

Surendra · ‎07-19-2019

You can use My Devices Portal on the ISE (Administration > Device Portal Management > My Devices). Create one portal for every group in portal settings and give a user friendly FQDN like printers, scanners etc. and share these FQDNs with the users. Users will login to the respective portals and register their devices accordingly which in the backend will be placed in the group you configure in the portal settings. You can configure policies to dictate the level of access to that endpoint group afterwards

View solution in original post

Surendra · ‎07-19-2019

Yes. That is also an option provided the customer is ok with giving access to ISE on port 443 from the VLAN the users will be residing. Also, any user part of a specific user group can edit any device part of the specific endpoint group to which the access is given. For example :

Select the AD Group the user is a part of above.

Data access as follows :

Menu Access as follows :

Policy as follows :

The result will be as follows as when a user part of the AD group listed under Admin Group :

View solution in original post

Surendra · ‎07-19-2019

You can use My Devices Portal on the ISE (Administration > Device Portal Management > My Devices). Create one portal for every group in portal settings and give a user friendly FQDN like printers, scanners etc. and share these FQDNs with the users. Users will login to the respective portals and register their devices accordingly which in the backend will be placed in the group you configure in the portal settings. You can configure policies to dictate the level of access to that endpoint group afterwards

Olivier Jessel · ‎07-19-2019

Thanks Surendra,

Last question: can I also restrict the access to these portals to only some users or group of users (like based on AD group or local ISE users) ?

CCIE #44658

Surendra · ‎07-19-2019

AFAIK, there isn’t such option yet.

Olivier Jessel · ‎07-19-2019

Ok, I'll find another way to restrict the access to it ;)

Thanks a lot for your help !

CCIE #44658

Jason Kunst · ‎07-19-2019

You can use the API to write your own portal.

@Surendra what about using the PAN and giving access to certain groups? Its not nice like the my devices but they could also have RBAC to groups.

Another option using my devices (hasn't been validated for a while)

https://community.cisco.com/t5/security-documents/ise-1-3-2-1-sponsor-authorization-on-secondary-attributes/ta-p/3641379

Surendra · ‎07-19-2019

Yes. That is also an option provided the customer is ok with giving access to ISE on port 443 from the VLAN the users will be residing. Also, any user part of a specific user group can edit any device part of the specific endpoint group to which the access is given. For example :

Select the AD Group the user is a part of above.

Data access as follows :

Menu Access as follows :

Policy as follows :

The result will be as follows as when a user part of the AD group listed under Admin Group :