Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1184
Views
6
Helpful
13
Replies

ISE Question

benolyndav
Level 4
Level 4

‎10-08-2023 01:21 PM - edited ‎10-08-2023 01:22 PM

HI

We are having issues with our staff mobile phones,  they are using randomized mac so each time a user hits an AP they dont get access to the Network.

Is it possible to create an Endpoint custom attribute that would match on device serial number.?? if so I'm assuming I could use a csv to upload all the device serial numbers.?

Thanks

0 Helpful
13 Replies 13

Arne Bier
VIP
VIP

‎10-08-2023 02:34 PM

Hello,

What type of authentication are you doing?  iPSK with MAC filtering, or 802.1X with MAC filtering?  Why do you care about the endpoint MAC address?

I was under the impression that (at least with Apple iOS) the MAC address is generated per-device and per-SSID. That means, generated once, and will not change for that device on that same SSID. You can forget and re-join the SSID and the Private MAC address remains the same. If, however, the MAC address is constantly changing for one device on the same SSID, then you have a genuine problem, if MAC address is important to your authentication.

I would question why you are using a MAC address in the first place. 

You can't get a serial number from an endpoint because the endpoint does not provide that data. Even in a wireless 802.1X EAP method, the serial number is not conveyed to the authenticating server (e.g. ISE). Devices have UUIDs (Unique IDs) but you have to get the via an application layer exchange (once the device is already authenticated). The UUID is used to ensure that the device is always recognized for the purpose of MDM (Mobile Device Management) - the device can present any private/random/local MAC address to the network, but ISE will know the device by its UUID and apply the appropriate authorization each time.

I have to admit, I don't have any experience with UUID and MDM deployments to tell you how this works in practice. But here is a Cisco document that explains how the API is used to query an MDM.

benolyndav
Level 4
Level 4
In response to Arne Bier

‎10-09-2023 01:40 AM

Hi

We use the mac in a group for the phones along with PSK, I have been looking at some videos on the cisco ISE site and looks like for now I could use an custom attribute using match iPSK ??

Thanks

0 Helpful

ahollifield
VIP
VIP
In response to benolyndav

‎10-09-2023 07:39 AM

Yes custom attributes can certainty be used for iPSK

benolyndav
Level 4
Level 4
In response to ahollifield

‎10-09-2023 12:26 PM

Hi

Thanks for that do you know of any other custom attribute I may be able to use along side iPSK they are Samsung phones.??

Thanks

0 Helpful

Arne Bier
VIP
VIP

‎10-09-2023 01:17 PM

I think there is some confusion here. Custom Attributes in the context of ISE means that the ISE Admin is adding customised attributes to either the User Identity, or to the Endpoint Identity. For iPSK we don't need or use custom attributes. 

I am not sure what exactly you're trying to achieve. Perhaps tell us what you're trying to solve.

iPSK (in the classic Cisco WLC case) is done like this:

  • Create a PSK SSID on the Cisco WLAN and enable MAC Filtering on that WLAN to send MAB requests to ISE. Each wireless client will be subjected to ISE authentication.
  • In ISE, create Endpoint Identity Group(s) for each grouping of endpoints that share a common PSK. Add all the clients' MAC addresses to that Endpoint Identity Group - e.g. IPSK_BIOMED_PHILLIPS
  • Then also create an Authorization Policy that matches endpoints, and if they match you can either:
    • Return Access-Accept (in which case the client's PSK must match the PSK configured on the WLAN)
    • Return Access-Accept and iPSK AVPair ASCII string (client must match this PSK or else will be rejected)

Normally, you would use ISE Profiling to determine if an endpoint is an Android or iOS or whatever. If the clients use DHCP then you might get the necessary client identifier from that DHCP request attribute. The most accurate mobile operating system profiling would be via http probing. The http profiling would only happen if the client connected to an ISE Portal (which for iPSK would not be the case). 

 

benolyndav
Level 4
Level 4
In response to Arne Bier

‎10-09-2023 02:02 PM - edited ‎10-09-2023 02:05 PM

Hi

Thanks for that yes I think there was some confusion and I understand regarding the set up, our problem is that other devices connect to the same ssid and are allowed based on identity groups, 

 

0 Helpful

Arne Bier
VIP
VIP

‎10-09-2023 02:14 PM

Ah OK. So within that Identity Group you want to filter out the Android devices?  Then an Endpoint Custom Attribute would be the way to do it. You could create an Attribute like "EndpointOS" and assign it a string to indicate the OS. That sounds like a lot of work and you have to have reliable endpoint information.

 

Dustin Anderson
VIP
VIP

‎10-09-2023 02:34 PM - edited ‎10-09-2023 02:35 PM

So, we ran into similar when Apple started this as the communications group uses JAMF to admin the phones and ISE checks for compliance. We have a random mac check and sent to a portal instructing how to turn it off. Our Guest/BYOD doesn't have this check since they all get sent external.

Random MAC has a bit set in the MAC address, so you can do a check for the second character to be 2, 6, A, or E

 

Screenshot 2023-10-09 163140.jpg

benolyndav
Level 4
Level 4
In response to Dustin Anderson

‎10-10-2023 07:31 AM

Hi

Thanks for that,  so are you saying still mab and iPSK but also add random mac bit check in the policy too.?? Also do all devices use this same random mac patern ??

Thanks

0 Helpful

Arne Bier
VIP
VIP

‎10-10-2023 02:04 PM

A "random/private" MAC address is not quite random - it's technically a locally administered MAC address that conforms to a bit pattern prefix.

x2-xx-xx-xx-xx-xx 
x6-xx-xx-xx-xx-xx 
xA-xx-xx-xx-xx-xx 
xE-xx-xx-xx-xx-xx

 

benolyndav
Level 4
Level 4
In response to Arne Bier

‎10-10-2023 11:59 PM - edited ‎10-10-2023 11:59 PM

Hi

Thanks again, how would I create this and apply to an Authorisation policy please

Thanks

 

0 Helpful

arslanbut9090
Level 1
Level 1

‎11-26-2023 03:56 PM

Creating a custom attribute in an IT context often depends on the specific device management or network management system you are using. Assuming you're working with an Endpoint management or Network Access Control (NAC) system that allows custom attributes, here's a general guideline:

  1. Check System Compatibility: Ensure that your Endpoint or NAC system supports the creation of custom attributes and allows you to match on device serial numbers.

  2. Define Custom Attribute: In your management system, look for a section related to device attributes or custom attributes. Create a new attribute, naming it something like "Device Serial Number."

  3. Import CSV: If your system allows it, you should be able to import a CSV file containing device serial numbers. This file would essentially map each device's serial number to the corresponding custom attribute.

  4. Policy Enforcement: Once you've defined the custom attribute and imported the serial numbers, configure your network policies to use this attribute for access control. For example, you might set a policy to allow network access if the "Device Serial Number" matches an entry in your CSV.

  5. Testing: Test the configuration with a few devices to ensure that the policies are working as expected.

Remember, the steps might vary based on the specific system you're using, and it's crucial to refer to the documentation or support resources provided by the system's vendor for accurate and system-specific instructions. If you provide more details about the specific system you're using, I might be able to offer more targeted guidance.

0 Helpful
Customers Also Viewed These Support Documents