Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2074
Views
0
Helpful
7
Replies

ISE 1.2 Auto Input of Endpoint's MAC address

fatalXerror
Level 5
Level 5

‎07-31-2015 04:34 AM - edited ‎03-10-2019 10:56 PM

Hi,

Good Day!

I've noticed a behavior of Cisco ISE that it automatically entered the newly discovered endpoint's MAC address in its endpoint database. May I know how can I prevent that behavior?

I'm using MAB as my authentication method which means I need to statically input the endpoint's MAC address before they can have access in my network.

Please help.

Thanks.

Labels:
0 Helpful
7 Replies 7

jan.nielsen
Level 7
Level 7

‎07-31-2015 05:07 AM

Why is that a problem, unless you are allowing them access in your authorization rule, by not being specific enough in what endpoint groups you are allowing access, i don't see the problem?

All you have to do, is to only have an authorization rule for mab when the mac is in a specific endpoint group, where you put your authorized mac addresses, and then deny all other mab requests

0 Helpful

fatalXerror
Level 5
Level 5
In response to jan.nielsen

‎08-01-2015 03:18 AM

Hi Jan,

Good Day!

Thanks for the feedback, my problem is that my client wants to input the MAC address manually in the ISE and not automatically detected by the ISE. How can I configure the ISE that way?

Thanks.

0 Helpful

jan.nielsen
Level 7
Level 7
In response to fatalXerror

‎08-01-2015 03:54 AM

You can't disable this behaviour, but what you normally would do is create an endpoint group, and when you manually enter your mac addresses, you select that group, then you create an authorization rule that matches on that identity group, and mab (wireless or wired), that grants access, and then a rule under that which only matches on mab, and denies access. The mac addresses that is not in that group (auto created by ise), will still be authenticated, but will get no access, as authorization is denying them access.

0 Helpful

vijay.salvi
Level 1
Level 1
In response to jan.nielsen

‎07-11-2017 01:21 AM

Hello Jan,

Yes ! what ever you explained that's correct.

but how can we achieve to stop adding mac addresses by ISE dynamically and used only those manually added MAC for Authentication and Authorization ?

customer doesn't want to have dynamically added MAC from ISE which is the requirement.

we are using ISE 1.4 ( no patch )Please let me know.

0 Helpful

jan.nielsen
Level 7
Level 7
In response to vijay.salvi

‎07-11-2017 01:48 AM

From my experience, the feature that actually creates the mac address in the ise database, is profiling. So if you are not using profiling for anything, you could try to disable it, otherwise i don't think this can be done.

0 Helpful

vijay.salvi
Level 1
Level 1
In response to jan.nielsen

‎07-11-2017 02:01 AM

Hello Jan,

Thank you for the response.

we are using ISE profiling feature for authorization.

isn't  it possible to restrict ISE adding dynamically MAC with profiling feature enabled ?

is there any alternative since client is under perception that we will be adding MAC manually and ISE should not add dynamically for failed authentication and authorization.

0 Helpful

jan.nielsen
Level 7
Level 7
In response to vijay.salvi

‎07-11-2017 02:50 AM

I know of no way to stop ISE creating the mac addresses itself, other than disabling profiling. ISE is working as it's supposed to, i still don't understand why it's a problem? Manually created mac addresses, just need to be put in a group and then used in an authorization rule, then you tell the customer to create the macs in that specific group....it's a very common use case for ise.

0 Helpful
Customers Also Viewed These Support Documents