ISE - populate MAC addresses method for MAB

babalao · ‎08-13-2024

Hello,

we are planning to use MAB for a lot of devices (printers,cameras,phones,etc) and we are going to use endpoints identity groups for each class (we are not going to use profiling at first at least).

Is there a way that a user goes to a ISE web portal and populates the MAC and group and this automatically populates the corresponding endpoint group with the MACs ? The idea is that helpdesk fills this data so the security team does not have to do it.

Is somethig like this possible? if so please any guidance would we great.

Thank you!

ccieexpert · ‎08-13-2024

There is a couple of ways to do.. helpdesk can be given access to ISE GUI or you can use the ISE API and they can either run a script with the mac address or have a web frontend that invokes the API.

ahollifield · ‎08-13-2024

Why no profiling? How about using pxGrid direct?

Arne Bier · ‎08-15-2024

Further to what @ccieexpert said, I have created RBAC role for the desktop/IT team to only see LiveLogs, Context Visibility when they login to ISE. From there they have been taught how to import endpoints using CSV (they store their favourite .CSV files for easy use) and that makes bulk imports easy.

Bulk deletes are a bit trickier in the GUI - can't be done via the same .CSV mechanism - we use the Context Visibility to search/filter and then delete from there. Or rely on the purge rules to delete stale entries (eventually).

APIs are great but they expect a lot from the end user - not everyone is comfortable with that - most folks can drive a web interface and a spreadsheet. But a custom tool interfacing via API would possibly be the most efficient, but requires someone to do the (ongoing) development work.

@ahollifield - why not profiling? Possibly cost reasons, I would imagine. Advantage licences are around 5x more expensive than Essentials the last time I looked. That has been a factor for some of my customers - even large customers.