This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I've noticed a behavior of Cisco ISE that it automatically entered the newly discovered endpoint's MAC address in its endpoint database. May I know how can I prevent that behavior?
I'm using MAB as my authentication method which means I need to statically input the endpoint's MAC address before they can have access in my network.
Why is that a problem, unless you are allowing them access in your authorization rule, by not being specific enough in what endpoint groups you are allowing access, i don't see the problem?
All you have to do, is to only have an authorization rule for mab when the mac is in a specific endpoint group, where you put your authorized mac addresses, and then deny all other mab requests
Thanks for the feedback, my problem is that my client wants to input the MAC address manually in the ISE and not automatically detected by the ISE. How can I configure the ISE that way?
You can't disable this behaviour, but what you normally would do is create an endpoint group, and when you manually enter your mac addresses, you select that group, then you create an authorization rule that matches on that identity group, and mab (wireless or wired), that grants access, and then a rule under that which only matches on mab, and denies access. The mac addresses that is not in that group (auto created by ise), will still be authenticated, but will get no access, as authorization is denying them access.
Yes ! what ever you explained that's correct.
but how can we achieve to stop adding mac addresses by ISE dynamically and used only those manually added MAC for Authentication and Authorization ?
customer doesn't want to have dynamically added MAC from ISE which is the requirement.
we are using ISE 1.4 ( no patch )Please let me know.
From my experience, the feature that actually creates the mac address in the ise database, is profiling. So if you are not using profiling for anything, you could try to disable it, otherwise i don't think this can be done.
Thank you for the response.
we are using ISE profiling feature for authorization.
isn't it possible to restrict ISE adding dynamically MAC with profiling feature enabled ?
is there any alternative since client is under perception that we will be adding MAC manually and ISE should not add dynamically for failed authentication and authorization.
I know of no way to stop ISE creating the mac addresses itself, other than disabling profiling. ISE is working as it's supposed to, i still don't understand why it's a problem? Manually created mac addresses, just need to be put in a group and then used in an authorization rule, then you tell the customer to create the macs in that specific group....it's a very common use case for ise.