Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1475
Views
5
Helpful
2
Replies

ISE and MAB

Go to solution
angel-moon
Level 3
Level 3

‎11-21-2019 12:35 PM

Hello,

 

 

If I want to use MAB on a bunch of devices from the same manufacturer that can;t do 802.1x can I create just a single MAB policy and have all the devices hit that policy or whi I have to enter every actual MAC address for each device?

 

 

 

Thanks in advance!

 

 

Replies rated

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jj27
Spotlight
Spotlight

‎11-21-2019 12:56 PM

As long as the manufacturer has the same OUI (first 6 characters of the MAC address) then you can accomplish it with one policy.  Your condition would be Radius:Calling-Station-ID starts with <first 6 characters, example: 00-12-34 or 00:12:34 depending on how your accounting is configured.

 

You can also accomplish it by creating a profiling policy with the same condition or a condition to match the OUI by name (as seen in Context Visibility) then using the condition in your authorization policy Endpoint:EndpointPolicy = <ProfileName>

 

Lastly, you could populate an Endpoint Group with all of the MAC addresses manually (or bulk import) if desired.

View solution in original post

2 Replies 2

Go to solution
jj27
Spotlight
Spotlight

‎11-21-2019 12:56 PM

As long as the manufacturer has the same OUI (first 6 characters of the MAC address) then you can accomplish it with one policy.  Your condition would be Radius:Calling-Station-ID starts with <first 6 characters, example: 00-12-34 or 00:12:34 depending on how your accounting is configured.

 

You can also accomplish it by creating a profiling policy with the same condition or a condition to match the OUI by name (as seen in Context Visibility) then using the condition in your authorization policy Endpoint:EndpointPolicy = <ProfileName>

 

Lastly, you could populate an Endpoint Group with all of the MAC addresses manually (or bulk import) if desired.

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-21-2019 01:17 PM

I agree with @jj27 

 

However, please note that if pushing authz policy via profiled endpoint groups you will require plus licensing.  If licensing is a concern I would recommend leveraging a bulk add via rest api.  Check this out: https://community.cisco.com/t5/security-documents/ise-ers-api-examples/ta-p/3622623

0 Helpful
Customers Also Viewed These Support Documents