Solved: Import MAC addresses from SSCM to ISE for PXE boot via API

Louise Thunem · ‎01-21-2016

During PXE boot process in a network with ISE (2.1) and 802.1x enabled, a new client is granted access to the network via MAB in ISE. Instead of registering all MAC addresses manually (or via .csv file) in ISE we are looking for a way to import client mac addresses registered in SCCM into ISE automatically. The REST API could possibly be used, but cannot find any information on how a case like this can be solved.

Does anyone have experience with this, and how is it solved?

jan.nielsen · ‎01-21-2016

In ISE MAC addresses are stored as "endpoints", these can be created by using the rest api, specifically the create endpoints function.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/api_ref_guide/api_ref_book/ise_api_ref_ers2.html#pgfId-1115364

You can do this with with pretty much any programming language thas has some sort of http connection library, like php, java, perl, python, powershell, vb.

View solution in original post

jan.nielsen · ‎01-21-2016

In ISE MAC addresses are stored as "endpoints", these can be created by using the rest api, specifically the create endpoints function.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/api_ref_guide/api_ref_book/ise_api_ref_ers2.html#pgfId-1115364

You can do this with with pretty much any programming language thas has some sort of http connection library, like php, java, perl, python, powershell, vb.

Louise Thunem · ‎01-22-2016

Thank you for your advice. The link was really useful, showing samples of how to create, delete, register endpoints.

nspasov · ‎01-21-2016

Have you also considered using "Low-Impact Mode?" That way you can use a pre-auth ACL and allow things like PXE, DHCP, DNS etc prior to dot1x authentication.

Thank you for rating helpful posts!

Thank you for rating helpful posts!

Louise Thunem · ‎01-22-2016

Yes, you are right, but in this case the customer requires strict mode.