Showing results for 
Search instead for 
Did you mean: 

ISE 1.2 - Match Policy Set based on endpoint identity group?

Josh Morris
Level 3
Level 3

Hello, I would like to create a condition that would force MAB'd clients to hit a certain policy set if their MAC address matches one in an endpoint identity group? Is this possible? I feel like a condition can be created using a combination of attributes, but I cannot seem to hit on it properly. Thanks.

3 Replies 3

Cisco Employee
Cisco Employee

Sorry to bring the bad news but that is not possible. You cannot use the "endpoint group" as an attribute when creating an "authentication" condition. 

What exactly are you trying to accomplish? Give us some more details and perhaps there is a different solution for you. 


Thank you for rating helpful posts!

Thanks. I have the basic wired/wireless policy sets, but would like a more detailed level of policy sets for some of my lab machines that need individual DACLs. I dont want to saturate my policy with DACLs. So I would like MAB'd users to enter the Lab Machine Policy Set if they fall in a certain endpoint identity group.

The cleanest way to to this would be to dedicate:

1. (Wired) A test switch where all of your test devices are connecting. You can then build a policy set that matches against that NAS.

2. (Wireless) A test SSID and/or a controller (virtual or 2504). You can then build a policy set that is dedicated to that SSID 


Thank you for rating helpful posts!