Re: MAC Address management on large network with ISE

REJR77 · ‎10-14-2020

Hello,

Do you have any experience with the management of MAC address on large network?

It is quite difficult to manage on boading and decommissioning of MAC addresses when running big networks.

Some use cases in mind:

- Partners that add/remove devices on the network at any time of the day (when the IT team is out of office)

- Is it opssible to authenticate the different partners / and assigning them a group where they can add/remove addresses

- Is there a way to remove MAC addresses when the device has not been connected to the network for x months?

I don't know if there is an external tool (or already included in ISE) to manage such use cases.

Waiting for your experience

Rgds

Mike.Cifelli · ‎10-14-2020

- Partners that add/remove devices on the network at any time of the day (when the IT team is out of office)

- Is it opssible to authenticate the different partners / and assigning them a group where they can add/remove addresses

--Have you considered relying on APIs to automate this? Essentially you could grant certain users the ability to add/remove devices to certain groups. This is tricky at first if you are not comfortable with APIs, but once you get a handle it works great.

- Is there a way to remove MAC addresses when the device has not been connected to the network for x months?

--Yes. See endpoint purging. Administration->Identity Management->Settings->Endpoint Purge. Here you have the ability to configure different endpoint purging policies. An example would be IF <Group A> and ElaspedDays or InactiveDays GREATERTHAN 30 days then purge MACs from group. You will have to test things here to match your requirements, but it is definitely feasible.

HTH!

REJR77 · ‎10-19-2020

Hello Mike,

Thank you for your advices.

I would have hoped I wouldn't need the APIs, but I'll have to get used to it

With API, can we make something like a RBAC for adding/removing MAC@?
For example, user1 will be only able to add/remove MAC@ for IdentityGroup1 and user2 will only have access to IdentityGroup2.

Thanks

Mike.Cifelli · ‎10-19-2020

IMO you have a couple of options to test. With the APIs you could create separate scripts that allow different admins to only operate on/against specific groups. So for example you could have a script that allows image team to manipulate adding/removing MACs to the "AllowedImaging" group. Then depending on how you run the scripts you could setup executable permissions on the client side.

With API, can we make something like a RBAC for adding/removing MAC@?

-You could setup separate data access privileges for each respective group, create different ERS users with different group, and then tie them all together in the admin access RBAC Policy. The policy would essentially say something like this: TEST1->If ERS_Ticket_Admin->then: Identity Admin Access Menu+Identity Admin Data Access_TEST1. You will have to test and determine which fits your environment best. However, you will still run into some other things in order to separate them which will be determining the following: how will you prompt the user via script to pass the respective name, how will you ensure user/pass for different ERS users will not get shared. I ask these questions because your payload will need this type of information.

IMO your best bet that would be less overhead from a config/scripting perspective would be to have simple scripts and manage accordingly relying on other mechanisms to restrict the access. HTH!