ISE Authentication using MAC AND AD group
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 01:17 AM
Hi ,
I am trying to build a policy to authenticate both Machine's MAC + The user should be a member of a special group in AD . I AM NOT USING 802.1X in my setup . My NAD is an ASA .
the user authentication is already done , I just want to know how to also add ( AND ) certain MAC address to the policy that are already added manually on ISE .
kindly advise .
thanks !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 06:48 AM
Assuming that your MAC addresses are all placed into an endpoint identity group in ISE, you should be able to check that the endpoint is a member of that group in your authorization policy. If you tried that and it isn't matching your rule, then open up the details of the authentication event in Radius Live Logs and scroll down on the left side to verify what attributes are available to use as a condition in your rule. Make sure the endpoint identity group is showing up properly there. If not, then make sure the "calling-station-id" is actually the MAC address of your client. It would also help if you post a screenshot of the rule you are trying to use.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 07:02 AM
Actually the problem is I can't seem to find what element of the authorization should I match ( ex for users there is something called identity group : Employee ) but for the mac qddress I already have them in endpoint file but i cant seem to build the policy based on mac . What is the element to match Mac addresses called in authorization condition
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 07:11 AM
Have you tried to use "IdentityGroup-Name EQUALS Endpoint Identity Group:<your group name>"?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 07:20 AM
Any ideas ?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 11:41 AM
Here is the procedure to check if MAC address is added to a whitelist group called "IOT devices".
1. Add the MAC address to the Endpoint ID groups (Workcenter > Network Access > ID Groups)
e.g: IOT devices
2. Add the Endpoint ID group to the authorization policy ( Workcenter > NEtwork access > Policy sets > Authorization policy) and add a condition, select 'Identity Groups -> Name' as attribute and value is "Endpoint ID Groups: IOT devices"
Further you can combine the condition with AD groups to check the user.
You need to create a tunnel group in ASA for authorization only. Make sure the VPN devices provides user information to ISE for it to verify.
On a different note, If you have Anyconnect you can use ACIDEX extension to check attributes sent to ISE.
Thanks
Krishnan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2020 01:07 AM
Kindly check attached to see if that is what you mean , in addition this should work withour having 802.1x in my environment right ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 10:17 AM
Hi,
If you want to add the MAC address as additional condition in ISE, in your authorization policy, look for "RADIUS:Calling-Station-ID) attribute and put the value of your MAC address in the form of AA:AA:AA:AA:AA:AA. This is for one MAC address, so i guess you don't want to do one rule per MAC address.
To match on multiple MAC addresses, in your authorization policy, look for "RADIUS:Called-Station-ID) attribute and select your Endpoint Group.
Regards,
Cristian Matei.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2020 11:48 PM
Thank you for this solution, but I think it will not work since I am NOT using 802.1x so there is no radius session between ISE and endpoint .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2020 01:45 AM
Hi,
If the endpoint is authenticated by ISE, there is a RADIUS session, but not between ISE and endpoint, but between ISE and NAD. So the endpoint passes authentication through ISE, thus you're configuring the authorization policy next, in order to match on the MAC address as a condition as well.
Regards,
Cristian Matei.
