cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

5141
Views
0
Helpful
8
Replies
Capricorn
Beginner

MAC address whitelist

Hi!

 

Cisco ISE version 2.4.

 

I have created a Endpoint identity group name whitelist and then added the few MAC address in it. The plan is to use this as whitelist of few devices we have. I created policy authorization policy for it.

 

Radius:Calling-Station-ID MAC_IN Whitelist. 

 

This works but when I tried for another MAC with same way then it didnt work and after weekend the computer that was working is not getting the policy and its going to default deny policy.

 

It was kind of suprising but then I looks like I used a policy as below for MAC address and as that MAC address was authenticated with below policy then it worked for whitelist policy but once is cache is expired then its not working.

Radius: calling-Station-ID EQUALS 5c-5f-67-c8-58-7f

 

I looked into the documentation below and my understanding is that as the MAC was authenticated with above policy then it i worked for MAC_IN policy for some time and after expiration it didnt work.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010010.html

 

 

Now I enabled 

Radius: calling-Station-ID EQUALS 5c-5f-67-c8-58-7f

and then disabled it and now below is working.

Radius:Calling-Station-ID MAC_IN Whitelist. 

 

I only want that if MAC exist in Whitelist should be authorize. 

 

Thanks for your suggestion and help in this.

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Hi, 

You can create a authz rule like IdentityGroup Name EQUALS Endpoint Identity Groups:ABC then vlan 20.

Then you can add the required mac address in ABC identity group Administration> Identity management > Groups > Endpoint Identity group > ABC

 

-Aravind

-Aravind

View solution in original post

8 REPLIES 8
ma.alsaffar
Beginner

Hi,

 

why dont you  create a profiling group and add the mac address, this will allow you to add multiple mac addresses whenever its needed

Hi!

 

The issue with that is let say if I profile for Huwai phones then anyone from outside with that model or vendor can join it as I have open SSID.

 

Right now I have 10 devices so I can use MAC address as restriction. I know its not sure but thats the best thing I have in mind and quick solution as well.

 

Thanks

Right now I just need a Authz rule for 

If mac-address in Identity group ABC then allow vlan 20

 

 

Hi, 

You can create a authz rule like IdentityGroup Name EQUALS Endpoint Identity Groups:ABC then vlan 20.

Then you can add the required mac address in ABC identity group Administration> Identity management > Groups > Endpoint Identity group > ABC

 

-Aravind

-Aravind

View solution in original post

I tried this kind of option. The problem with this is that if this condition will become true and it will in any case then it will allow the access automatically.

 

IdentityGroup Name EQUALS Endpoint Identity Groups:ABC

 

As I see the logic is that if there is matching ABC endpoint group exist then Authorize VLAN. It will not check the MAC address in side. 


As I see the logic is that if there is matching ABC endpoint group exist then Authorize VLAN. It will not check the MAC address in side. 


It does not work that way. The endpoint needs assigned to the endpoint group for the condition to hold true.

ok. I did test but not sure I did see Auth succesful and then thought it shouldnt be that way. Auth will be a success as the MAC exist as internal endpoint. I am pretty sure you guys have tested it :).

Just need to double check this for AuthZ. 

 

 

 

hslai
Cisco Employee


 ... and as that MAC address was authenticated with below policy then it worked for whitelist policy but once is cache is expired then its not working. ...

 


You might run into either CSCvi73782 or CSCvk55076.

Content for Community-Ad