cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

312
Views
0
Helpful
1
Replies
Highlighted
Cisco Employee

MAB Endpoint ID groups

Hi,

I tried in the lab recently to use MAB to put different sets of devices into the correct SGT group.

We created an Endpoint ID Group, and added in the devices to it (mac address, device type, and ID group).  We then created an Auth Condition to reference this condition, and finally an Auth Policy rule using the condition.

However we did not get consistent results – it seems that sometimes the device was picked up by this rule, sometimes not.  At one point the profiling service picked up the devices with the mac address in a different format, so we tried disabling profiling and adding in the devices manually.

Do you have a view on the correct way to do this ?

We ran out of time in the lab, so at the moment can't troubleshoot further, but wanted to be prepared for when we try again.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hi,

The lab should have instructions on that. Were you able to get the instructions from the lab?

When you create an endpoint, you can statically assign the endpoint to that group or dynamically.

if you want to statically assign the groups, you need to click on the option as you create the end point to assign to a group.

Once that is done, you can go to the authorization policy and make sure the most restrictive policy is on the top and least restrictive is at the bottom so that ISE can choose the right authorization policy when it profiles an endpoint dynamically

Please take a look at the profiling section of the ISE design guides to understand more on how it works.

ISE Design & Integration Guides

Thanks

Krishnan

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee

Hi,

The lab should have instructions on that. Were you able to get the instructions from the lab?

When you create an endpoint, you can statically assign the endpoint to that group or dynamically.

if you want to statically assign the groups, you need to click on the option as you create the end point to assign to a group.

Once that is done, you can go to the authorization policy and make sure the most restrictive policy is on the top and least restrictive is at the bottom so that ISE can choose the right authorization policy when it profiles an endpoint dynamically

Please take a look at the profiling section of the ISE design guides to understand more on how it works.

ISE Design & Integration Guides

Thanks

Krishnan

View solution in original post

Content for Community-Ad