10-20-2021 05:00 AM - edited 10-20-2021 08:14 AM
I am confused since ISE automatically learn MAC address even if I disable the profiling service( disable any probe).....
As test I am using the policy set like below.
Rule name condition allowedprotocol use/profile
MAB_Pol_set wired_MAB HOST_LOOKUP
MAB_AuthC wired_MAB internal endpoint
MAB_AuthZ wired_MAB
NetworkAccessAuthenticatiionStatus=passed PermintAccess
when a PC the MAC address of which is not registered manually is connected, the authorization is failed.
however, at the same time, ISE automatically learn the MAC address.
And when the PC get connected (this is second time), the authentication and authorization are succeed, and the PC get the network access.
how could I fix this?
I thought that I could disable automatic MAC address learning by disabling profiling service but it does not work.
Solved! Go to Solution.
10-20-2021 01:51 PM
Hi @naoki_Japan ,
as an example ... you are able to:
1st create an Endpoint Identity Groups (at Administration > Identity Management > Groups) and manually add the MACs.
2nd create an Authorization Policy (Policy > Policy Sets) with the following condition:
WIRED_MAB
and
IdentityGroup.Name Equals <your Endpoint Identity Groups>
Hope this helps !!!
10-20-2021 01:51 PM
Hi @naoki_Japan ,
as an example ... you are able to:
1st create an Endpoint Identity Groups (at Administration > Identity Management > Groups) and manually add the MACs.
2nd create an Authorization Policy (Policy > Policy Sets) with the following condition:
WIRED_MAB
and
IdentityGroup.Name Equals <your Endpoint Identity Groups>
Hope this helps !!!
10-20-2021 11:24 PM
thank you.
I will narrow down the requirement of authorization by adding Endpoint Identity Group as you said.
THX
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide