Thanks for the reply. We just want to use whitelisted MAC as NAC, that's it. And designate a trust device to add new mac to internal endpoint.

I know I can do this at authorization with trusted id group.  But how do I auto populate this group ? Besides manually importing ? 

Create Endpoint ID group.  Add MAC addresses to Endpoint ID Group.  Specify Endpoint ID group as a condition in the Authorization policy, passing the necessary attributes.  Set Default Authz policy to deny.

Use profiling if you don't want to manually add each MAC address to the group.  Also prevents some MAC spoofing attempts too.  Required Advantage Licensing.

Thanks a lot. I already know the first portion that you mentioned.

So I can using profiling to let a trusted NAD as a source to populate that ID group ?

No.  Profiling is endpoint condition specific.  So ISE will authenticate/authorize anything that looks like a printer, AP, thin client, or whatever.  No static MAC address lists needed.  

https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456

So looks like you cant use properties from network device such as location or name in the profiling process 

I mean you can use the NAD properties in the Authorization policies to give differentiated access.  What exactly are you trying to solve?  If a device is trusted (profiled, 802.1X, Static endpoint ID group, etc.) why does it matter what NAD the endpoint is connected to?

I updated my description in my post. I want to just use MAC as the only source to control access. Because there are tons device types in our network, using profiling adds too much overhead to operation. So I want to use mac whitelist here, but that list need to be auto populated

Auto populate?  What would be your source of truth?  What would determine whether or not a device should be trusted?  What is your concern with profiling "overhead"?  Profiling removes the need for you to manually manage Static Endpoint ID Groups.

That's what I am asking if this is doable in ISE. Something like putting a device in a device group, any new mac learned from the NAD in this group will be added into a trusted ID group.

Because we could have control who can plug anything into this trust NAD.

Existing MAC will be imported into an ID group.

Any new MAC that is not in the ID group will be rejected.

Only new MAC that learnt from this NAD will be auto added into this ID group( This's what I am asking if this doable)

Then why deploy NAC at all if you can 100% guarantee that your NADs have trusted devices?  Or is it just this one NAD?  Also plugging into one specific NAD is enough of a criteria to quantify device trust?

What I want is using a trusted switch as an onboarding platform to learn new MAC and add these MAC to a trusted ID group, keep them in that group. Later, these MAC would connect to other switches, as they already included in that ID group, they can be authorized and access the network.