04-07-2016 11:14 AM
I support a customer planning to migrate from ACS 5.6 to ISE 2.x. Today, they use "Configure devices w/ IP Address Ranges", and "adding host with wildcards". Any roadmap plans for ISE to support these features?
Solved! Go to Solution.
04-07-2016 11:23 AM
Stacy, please contact the PM team regarding the roadmap related questions. But regarding those two features there are easy workarounds:
For network device IP ranges, ISE supports IP subnet with CIDR, which can be used in place in combination with individual IP addresses.
For endpoint with wildcard, depending on what you are trying to do, you can either create profiling policy to put devices with certain MAC prefix into different profiling groups to use in policy, or you can simply create an authorization policy that says if MAC address starts with XX:XX:XX then take this action.
Hosuk
04-07-2016 11:23 AM
Stacy, please contact the PM team regarding the roadmap related questions. But regarding those two features there are easy workarounds:
For network device IP ranges, ISE supports IP subnet with CIDR, which can be used in place in combination with individual IP addresses.
For endpoint with wildcard, depending on what you are trying to do, you can either create profiling policy to put devices with certain MAC prefix into different profiling groups to use in policy, or you can simply create an authorization policy that says if MAC address starts with XX:XX:XX then take this action.
Hosuk
04-07-2016 11:39 AM
Ok. I understand that.
So, if today I have network devices define with an IP address range 172.19.10.7-9/32,
I would need to replace this with 3 IP address definitions: 172.19.10.7/32,, 172.19.10.8/32,, 172.19.10.9/32,
Right? This cannot be summarized into a IP subnet with CIDR.
04-07-2016 11:50 AM
Yes, that example will need to be 3 individual IPs for now.
04-07-2016 11:49 AM
I was interpreting "adding host with wildcards" as the following: 172.19.10.*/32.
Where "*" is the wildcard. Is this what is not supported in ISE 2.1?
If this is not supported, I think a CIDR summary can be used here. I just want to be sure this is the features not supported.
04-07-2016 11:55 AM
No, 'hosts' in this case are the endpoints not NADs (Network Access Devices). ACS allows host entries such as AB:AB:AB:* and match against any MAC addresses that starts with AB:AB:AB:. ISE counts each of the endpoints with full MAC so no wildcard can be used for the purpose of endpoint account in the DB. However, for the purpose of ACS and ISE to apply policy based on the MAC address prefix can be achieved with workaround above.
Hosuk
04-07-2016 12:00 PM
Is using wildcards " * " for adding NADs supported?
04-07-2016 12:24 PM
Not on ISE. But I don't believe that is supported on ACS either.
04-07-2016 12:35 PM
they are currently using wildcards " * " for adding NADs in ACS.
04-07-2016 12:37 PM
OK, so ACS supports it and ISE doesn't. Again for any roadmaps please contact PM team.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide