cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2423
Views
5
Helpful
26
Replies

Is there any way to prevent new MAC to be added to internal endpoints

EHNET
Level 1
Level 1

We are trying to using MAB and existing internal endpoints as a whitelist ( I know it is not secure enough) to prevent new mac to access network. So I want anything that is not in internal endpoint to be rejected at authentication phase.

Is there anyway to achieve this ? I tried to remove a mac from internal endpoint, but ISE will automatically add it back after it reconnected.

I also know that I can achieve same goal by using authorization and putting trusted MAC into an ID group then use this group as condition. But the problem is how to auto add new MAC into this ID group ? Is there anyway to set conditions, for example any new MAC learnt from a specific named NAD to be added into this group? This is a dynamic environment, manually adding MAC into group is not feasible.

What I want is using a trusted switch as an onboarding platform to learn new MAC and add these MAC to a trusted ID group, keep them in that group. Later, these MAC would connect to other switches, as they already included in that ID group, they can be authorized and access the network.

My interface config is as follows:

device-tracking attach-policy ISE_Track
ip access-group ACL-DEFAULT in
authentication control-direction in
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab

 

 

26 Replies 26

balaji.bandi
Hall of Fame
Hall of Fame

you can add MAC entries in to ISE and create a profile, so only MAC address will be allowed, rest will be rejected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

sorry, can you please elaborate more ? Do you mean assign trusted mac into  an id group ?

Arne Bier
VIP
VIP

It's clear by now that ISE will "collect" every MAC address of every endpoint from Switches/WLC/VPN that send their RADIUS requests to ISE. That's how ISE populates its Context Visibility Database. ISE has no idea which of these endpoints are important to you. That decision can be done "automatically" by profiling (assigning endpoints to certain profiles of interest, e.g. printers, Windows-10 PCs, etc.) or manually - the manual method involves either clicking around in ISE Context Visibility and setting the Endpoint Profiles or even the Endpoint Identity Group - but it's a very laborious process. You can also export the Endpoint database, and do this manipulation in a spreadhseet. Or, if you're clever enough, do it via REST API. Either way, there has to be some logic/reasoning applied that a machine can understand if you want this association to happen. Profiling is your best bet.

Charlie Moreton
Cisco Employee
Cisco Employee

How about creating a new Profiling Condition?  Use the NAS IP Address for the condition

CharlieMoreton_0-1677793554509.png

 

And then add a new Profiling Policy

CharlieMoreton_1-1677794267334.png

Have fun with Randomized MAC Addresses

Thanks for your suggestion. I guess the method here can assign MAC to an ID group when it is connected to that specific switch. But when the same MAC connects to another switch. That MAC wont be in that ID group any more.

What I want is using a trusted switch as an onboarding platform to learn new MAC and add these MAC to a trusted ID group, keep them in that group. Later, these MAC would connect to other switches, as they already included in that ID group, they can be authorized and access the network.

Changing the rules as the game progresses?  Not fun for the players.  

Sounds like you need to set up the profiling from your 'onboarding' switch as described above, use the API to extract MAC addresses from the Endpoint Identity Group and feed into an ODBC database and use that DB as an External Identity Source.

Unless you have ISE 3.2, in which case you can use DataConnect to gather the information.

Thanks. Looks like using API to populate that whitelist is the way. We are on 3.1 now, I will see if that 3.2 feature meet our needs. One more question, will there be any performance issue, if I have more than 10k MAC in that ID group and authorization need to check against each time?  And from performance perspective,  any benefit using an external database store this list vs put them in an ID group using ISE ?

It'll be about the same.  To use an internal EIG, you would use the API to write back to ISE, whereas the ODBC ID Provider will be the source of the Authentication.  Either way, you are reading from ISE via API, then either writing back to ISE or performing a simple lookup from ODBC.

sidshas03
Spotlight
Spotlight

You have mentioned that removing a MAC address from the internal endpoint list does not prevent it from being added back automatically when the device reconnects. This is because the device tracking feature in Cisco IOS automatically adds and updates endpoint information, including MAC addresses, as new devices are discovered on the network.

To overcome this issue, you can create a custom Identity Group in ISE that includes all the MAC addresses of your internal endpoints, and then use this group as a condition in your authentication and authorization policies. You can configure ISE to automatically add new MAC addresses to this group when they are discovered on the network by using a dynamic ID group.



Once the dynamic ID group is created, you can use it as a condition in your authentication and authorization policies. For example, you can create an Authorization Policy that restricts network access to only devices that belong to the "InternalEndpoints" group.

By using a dynamic ID group, new MAC addresses learned from a specific named NAD will be automatically added to the group, and devices that are not part of the group will be denied network access.

Sorry, I may be late with your problem. By now you would have resolved it. I hope it helps others who need it in the future.

Thanks for your reply. Your solution is similar to another reply that using profiling to put new MAC in a dynamic ID group. But we need to keep these MACs in this ID group once they are added. These MAC will connect to other NAD after they are onboarded in that specific switch.

Hey bud, did you ever find a solution for this? Trying to do exactly what you are and no one understands me! In any case, thanks.

hslai
Cisco Employee
Cisco Employee

@EHNET If you really want a trusted switch as the means of host on-boarding, one option is to use a regular ISE guest portal or an ISE hotspot portal to associate the client MAC addresses statically to an endpoint group.