Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1073
Views
10
Helpful
2
Replies

MAC Address Discovery (update the internal endpoints database)

Go to solution
kkvitovs
Cisco Employee
Cisco Employee

‎02-06-2020 06:59 AM - edited ‎02-06-2020 07:00 AM

Hello everyone,

If a customer has a lot of endpoints (more than 100K) and wants to use MAB. They don't have a list of MAC addresses of the devices, so what are their options to collect client's mac address for the further MAB process? 

Possible options:
1. According to the Admin guide, when you Enable MAB: "You can add these endpoints or have them profiled automatically by the Profiler service." https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_010010.html?bookSearch=true#ID777
As far as I understand they can start with Monitor mode. With a monitoring phase, they will be able to build a list of endpoints with profiling, by enabling for example RADIUS probe (https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId-91730638). RADIUS probe collects MAC. And this way they will collect MAC addresses of all endpoints that make RADIUS request. Is it possible? or what are the options to use the profiling service to collect the list of MAC addresses?

 

2. Another option: They plan to configure Catalyst port only for collecting MAC address, once users registered the MAC by connecting the PC to the port they can use MAB for any other port. Can they do this?


3. Any other suggestion/options?

 

Thank you in advance.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎02-06-2020 07:15 AM

Your option 1 is the recommended approach.  All deployments should start with Monitor Mode to gain visibility to what is on the network and get a feel for what would fail authentication.  Then once the profiling policies are working and the majority of endpoints are authenticating successfully, you move to enforcement mode.

View solution in original post

2 Replies 2

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎02-06-2020 07:15 AM

Your option 1 is the recommended approach.  All deployments should start with Monitor Mode to gain visibility to what is on the network and get a feel for what would fail authentication.  Then once the profiling policies are working and the majority of endpoints are authenticating successfully, you move to enforcement mode.

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Colby LeMaire

‎02-06-2020 01:24 PM

@Colby LeMaire is correct.

Keep in mind, however, that the ISE Profiling engine can only identity an endpoint based on the information provided by the network. It is not a silver bullet.

In an environment with 100K endpoints, it is highly likely that ISE will be unable to effectively profile a large percentage of endpoints. If the customer does not have information on the endpoints to correlate with what info ISE receives from the network, they will likely have to physically track down those devices and try to determine if any custom profiling policies can be created for those endpoints.

In the early stages of an ISE project prior to deployment of the solution, the customer project team should ideally start reaching out to business owners across the organisation to build lists of legitimate endpoint types used across the business and build processes to manage the lifecycle of existing endpoint types as well as approvals for future ones.

 

Cheers,

Greg

Customers Also Viewed These Support Documents