Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
731
Views
0
Helpful
1
Replies

MAB Endpoint ID groups

Go to solution
jrowling
Cisco Employee
Cisco Employee

‎11-14-2016 09:46 AM

Hi,

I tried in the lab recently to use MAB to put different sets of devices into the correct SGT group.

We created an Endpoint ID Group, and added in the devices to it (mac address, device type, and ID group).  We then created an Auth Condition to reference this condition, and finally an Auth Policy rule using the condition.

However we did not get consistent results – it seems that sometimes the device was picked up by this rule, sometimes not.  At one point the profiling service picked up the devices with the mac address in a different format, so we tried disabling profiling and adding in the devices manually.

Do you have a view on the correct way to do this ?

We ran out of time in the lab, so at the moment can't troubleshoot further, but wanted to be prepared for when we try again.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎11-14-2016 07:12 PM

Hi,

The lab should have instructions on that. Were you able to get the instructions from the lab?

When you create an endpoint, you can statically assign the endpoint to that group or dynamically.

if you want to statically assign the groups, you need to click on the option as you create the end point to assign to a group.

Once that is done, you can go to the authorization policy and make sure the most restrictive policy is on the top and least restrictive is at the bottom so that ISE can choose the right authorization policy when it profiles an endpoint dynamically

Please take a look at the profiling section of the ISE design guides to understand more on how it works.

ISE Design & Integration Guides

Thanks

Krishnan

View solution in original post

0 Helpful
1 Reply 1

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎11-14-2016 07:12 PM

Hi,

The lab should have instructions on that. Were you able to get the instructions from the lab?

When you create an endpoint, you can statically assign the endpoint to that group or dynamically.

if you want to statically assign the groups, you need to click on the option as you create the end point to assign to a group.

Once that is done, you can go to the authorization policy and make sure the most restrictive policy is on the top and least restrictive is at the bottom so that ISE can choose the right authorization policy when it profiles an endpoint dynamically

Please take a look at the profiling section of the ISE design guides to understand more on how it works.

ISE Design & Integration Guides

Thanks

Krishnan

0 Helpful
Customers Also Viewed These Support Documents