Buy or Renew
Buy or Renew
Welcome to the new Cisco Community. LEARN MORE about the updates and what is coming.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1147
Views
0
Helpful
2
Replies

ISE: learn MAC address automatically

Go to solution
naoki_Japan
Beginner
Beginner

‎10-20-2021 05:00 AM - edited ‎10-20-2021 08:14 AM

I am confused since ISE automatically learn MAC address even if I disable the profiling service( disable any probe).....

 

As test I am using the policy set like below.

Rule name                             condition                          allowedprotocol                use/profile

MAB_Pol_set                       wired_MAB                        HOST_LOOKUP

 

MAB_AuthC                         wired_MAB                                                                internal endpoint

 

MAB_AuthZ                         wired_MAB

                                            NetworkAccessAuthenticatiionStatus=passed             PermintAccess

 

 

when a PC the MAC address of which is not registered manually is connected, the authorization is failed.

however, at the same time, ISE automatically learn the MAC address.

And when the PC get connected (this is second time), the authentication and authorization are succeed, and the PC get the network access.

 

 

 

how could I fix this?

I thought that I could disable automatic MAC address learning by disabling profiling service but it does not work.

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP Advisor VIP Advisor
VIP Advisor

‎10-20-2021 01:51 PM

Hi @naoki_Japan ,

 as an example ... you are able to:

1st create an Endpoint Identity Groups (at Administration > Identity Management > Groups) and manually add the MACs.

2nd create an Authorization Policy (Policy > Policy Sets) with the following condition:

WIRED_MAB
and
IdentityGroup.Name Equals <your Endpoint Identity Groups>

 

Hope this helps !!!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marcelo Morais
VIP Advisor VIP Advisor
VIP Advisor

‎10-20-2021 01:51 PM

Hi @naoki_Japan ,

 as an example ... you are able to:

1st create an Endpoint Identity Groups (at Administration > Identity Management > Groups) and manually add the MACs.

2nd create an Authorization Policy (Policy > Policy Sets) with the following condition:

WIRED_MAB
and
IdentityGroup.Name Equals <your Endpoint Identity Groups>

 

Hope this helps !!!

0 Helpful

Go to solution
naoki_Japan
Beginner
Beginner
In response to Marcelo Morais

‎10-20-2021 11:24 PM

thank you.

I will narrow down the requirement of authorization by adding Endpoint Identity Group as you said.

THX

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents