Solved: ISE 1.2 disable endpoints with certain mac address

rakeshvelagala · ‎06-04-2014

Hi All,

We have an AD to authenticate for wireless users. In AD, we have specified to block the user if the password is entered wrongly for more than 3 times. The problem is some of them are using other user ID and locking the accounts. I have gotten the MAC address of the user. Can anyone please advise how to block the request from this MAC from even reaching the AD.

Thanks

Bernardino Tellez · ‎06-06-2014

You have two options from ISE and one option from the WLC:

The first option which is not very scalable is to modify your authentication policy to deny access to an specific MAC address(Radius:Calling station ID). But this is not very scalable as you can only specify one MAC address.

Your second option is to enable the anomalous client suppression(under systems->settings->protocols->RADIUS). This will be your best option but it would require a bit of testing to identify what are the best values for your environment.

From the controller you can enable the excessive 802.1x authentication failures. By default it won't even send the fourth authentication to ISE for a failing endpoint:

Here you will need to modify the exclusion timer to something high as the default is 60 sec.

View solution in original post

Saurav Lodh · ‎06-05-2014

In the end point identity, assign the MAC as blacklisted , from static assignment.

rakeshvelagala · ‎06-05-2014

Hi

Thanks for the reply. But in ISE, it will check authentication first followed by authorization. So it is still sending a request to AD before authorization. Hence the account will be locked.

Bernardino Tellez · ‎06-06-2014

You have two options from ISE and one option from the WLC:

The first option which is not very scalable is to modify your authentication policy to deny access to an specific MAC address(Radius:Calling station ID). But this is not very scalable as you can only specify one MAC address.

Your second option is to enable the anomalous client suppression(under systems->settings->protocols->RADIUS). This will be your best option but it would require a bit of testing to identify what are the best values for your environment.

From the controller you can enable the excessive 802.1x authentication failures. By default it won't even send the fourth authentication to ISE for a failing endpoint:

Here you will need to modify the exclusion timer to something high as the default is 60 sec.

ZacGomez · ‎01-02-2020

Profile the device as blacklist

1.2 Administration->Identity manager->Endpoint-(searchmac)->In network search Blacklisted

2.X Administration > Identity Management > Groups > Endpoint Identity Groups->Blacklisted-Edit->add

Link: https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_new_chapter_010101.html

abwahid · ‎06-06-2014

Hi,

Then, In DHCP server you can filter this MAC address to block requests reaching to the AD.

rakeshvelagala · ‎06-06-2014

Hi,

Though first option is not scalable, I think it is the best bet I have got.

There are students using one another accounts (e.g say friend's user name is George) they are using this as the user name and blocking their's friend account.

So second and third option will not be applicable to me.

Thanks