Solved: Re: ISE roadmap for "IP Address Range" and "adding host w/ Wildcards"?

stacbrow · ‎04-07-2016

I support a customer planning to migrate from ACS 5.6 to ISE 2.x. Today, they use "Configure devices w/ IP Address Ranges", and "adding host with wildcards". Any roadmap plans for ISE to support these features?

howon · ‎04-07-2016

Stacy, please contact the PM team regarding the roadmap related questions. But regarding those two features there are easy workarounds:

For network device IP ranges, ISE supports IP subnet with CIDR, which can be used in place in combination with individual IP addresses.

For endpoint with wildcard, depending on what you are trying to do, you can either create profiling policy to put devices with certain MAC prefix into different profiling groups to use in policy, or you can simply create an authorization policy that says if MAC address starts with XX:XX:XX then take this action.

Hosuk

View solution in original post

howon · ‎04-07-2016

Stacy, please contact the PM team regarding the roadmap related questions. But regarding those two features there are easy workarounds:

For network device IP ranges, ISE supports IP subnet with CIDR, which can be used in place in combination with individual IP addresses.

For endpoint with wildcard, depending on what you are trying to do, you can either create profiling policy to put devices with certain MAC prefix into different profiling groups to use in policy, or you can simply create an authorization policy that says if MAC address starts with XX:XX:XX then take this action.

Hosuk

stacbrow · ‎04-07-2016

Ok. I understand that.

So, if today I have network devices define with an IP address range 172.19.10.7-9/32,

I would need to replace this with 3 IP address definitions: 172.19.10.7/32,, 172.19.10.8/32,, 172.19.10.9/32,

Right? This cannot be summarized into a IP subnet with CIDR.

howon · ‎04-07-2016

Yes, that example will need to be 3 individual IPs for now.

stacbrow · ‎04-07-2016

I was interpreting "adding host with wildcards" as the following: 172.19.10.*/32.

Where "*" is the wildcard. Is this what is not supported in ISE 2.1?

If this is not supported, I think a CIDR summary can be used here. I just want to be sure this is the features not supported.

howon · ‎04-07-2016

No, 'hosts' in this case are the endpoints not NADs (Network Access Devices). ACS allows host entries such as AB:AB:AB:* and match against any MAC addresses that starts with AB:AB:AB:. ISE counts each of the endpoints with full MAC so no wildcard can be used for the purpose of endpoint account in the DB. However, for the purpose of ACS and ISE to apply policy based on the MAC address prefix can be achieved with workaround above.

Hosuk

stacbrow · ‎04-07-2016

Is using wildcards " * " for adding NADs supported?

howon · ‎04-07-2016

Not on ISE. But I don't believe that is supported on ACS either.

stacbrow · ‎04-07-2016

they are currently using wildcards " * " for adding NADs in ACS.

howon · ‎04-07-2016

OK, so ACS supports it and ISE doesn't. Again for any roadmaps please contact PM team.