03-02-2023 11:10 AM - edited 03-03-2023 10:43 AM
We are trying to using MAB and existing internal endpoints as a whitelist ( I know it is not secure enough) to prevent new mac to access network. So I want anything that is not in internal endpoint to be rejected at authentication phase.
Is there anyway to achieve this ? I tried to remove a mac from internal endpoint, but ISE will automatically add it back after it reconnected.
I also know that I can achieve same goal by using authorization and putting trusted MAC into an ID group then use this group as condition. But the problem is how to auto add new MAC into this ID group ? Is there anyway to set conditions, for example any new MAC learnt from a specific named NAD to be added into this group? This is a dynamic environment, manually adding MAC into group is not feasible.
What I want is using a trusted switch as an onboarding platform to learn new MAC and add these MAC to a trusted ID group, keep them in that group. Later, these MAC would connect to other switches, as they already included in that ID group, they can be authorized and access the network.
My interface config is as follows:
device-tracking attach-policy ISE_Track
ip access-group ACL-DEFAULT in
authentication control-direction in
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
03-02-2023 11:18 AM
Why not reject at authorization phase? Accomplishes the same thing. What exactly are you trying to do? Just MAB only? Are your "trusted" MAC addresses in an Endpoint ID Group?
Endpoint Purge rules could satisfy what you are trying to accomplish.
03-02-2023 11:25 AM
Thanks for the reply. We just want to use whitelisted MAC as NAC, that's it. And designate a trust device to add new mac to internal endpoint.
I know I can do this at authorization with trusted id group. But how do I auto populate this group ? Besides manually importing ?
03-02-2023 11:36 AM
Create Endpoint ID group. Add MAC addresses to Endpoint ID Group. Specify Endpoint ID group as a condition in the Authorization policy, passing the necessary attributes. Set Default Authz policy to deny.
Use profiling if you don't want to manually add each MAC address to the group. Also prevents some MAC spoofing attempts too. Required Advantage Licensing.
03-02-2023 11:44 AM
Thanks a lot. I already know the first portion that you mentioned.
So I can using profiling to let a trusted NAD as a source to populate that ID group ?
03-02-2023 11:48 AM
No. Profiling is endpoint condition specific. So ISE will authenticate/authorize anything that looks like a printer, AP, thin client, or whatever. No static MAC address lists needed.
https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456
03-02-2023 12:18 PM
So looks like you cant use properties from network device such as location or name in the profiling process
03-02-2023 12:23 PM
I mean you can use the NAD properties in the Authorization policies to give differentiated access. What exactly are you trying to solve? If a device is trusted (profiled, 802.1X, Static endpoint ID group, etc.) why does it matter what NAD the endpoint is connected to?
03-02-2023 12:51 PM - edited 03-02-2023 12:52 PM
I updated my description in my post. I want to just use MAC as the only source to control access. Because there are tons device types in our network, using profiling adds too much overhead to operation. So I want to use mac whitelist here, but that list need to be auto populated
03-02-2023 12:58 PM - edited 03-02-2023 12:59 PM
Auto populate? What would be your source of truth? What would determine whether or not a device should be trusted? What is your concern with profiling "overhead"? Profiling removes the need for you to manually manage Static Endpoint ID Groups.
03-02-2023 01:01 PM
That's what I am asking if this is doable in ISE. Something like putting a device in a device group, any new mac learned from the NAD in this group will be added into a trusted ID group.
03-02-2023 01:09 PM
03-02-2023 01:17 PM
Because we could have control who can plug anything into this trust NAD.
Existing MAC will be imported into an ID group.
Any new MAC that is not in the ID group will be rejected.
Only new MAC that learnt from this NAD will be auto added into this ID group( This's what I am asking if this doable)
03-02-2023 01:37 PM
Then why deploy NAC at all if you can 100% guarantee that your NADs have trusted devices? Or is it just this one NAD? Also plugging into one specific NAD is enough of a criteria to quantify device trust?
03-02-2023 04:49 PM
What I want is using a trusted switch as an onboarding platform to learn new MAC and add these MAC to a trusted ID group, keep them in that group. Later, these MAC would connect to other switches, as they already included in that ID group, they can be authorized and access the network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide