Solved: Re: MAC address whitelist

Capricorn · ‎10-29-2018

Hi!

Cisco ISE version 2.4.

I have created a Endpoint identity group name whitelist and then added the few MAC address in it. The plan is to use this as whitelist of few devices we have. I created policy authorization policy for it.

Radius:Calling-Station-ID MAC_IN Whitelist.

This works but when I tried for another MAC with same way then it didnt work and after weekend the computer that was working is not getting the policy and its going to default deny policy.

It was kind of suprising but then I looks like I used a policy as below for MAC address and as that MAC address was authenticated with below policy then it worked for whitelist policy but once is cache is expired then its not working.

Radius: calling-Station-ID EQUALS 5c-5f-67-c8-58-7f

I looked into the documentation below and my understanding is that as the MAC was authenticated with above policy then it i worked for MAC_IN policy for some time and after expiration it didnt work.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010010.html

Now I enabled

Radius: calling-Station-ID EQUALS 5c-5f-67-c8-58-7f

and then disabled it and now below is working.

Radius:Calling-Station-ID MAC_IN Whitelist.

I only want that if MAC exist in Whitelist should be authorize.

Thanks for your suggestion and help in this.

Aravind Ravichandran · ‎10-29-2018

Hi,

You can create a authz rule like IdentityGroup Name EQUALS Endpoint Identity Groups:ABC then vlan 20.

Then you can add the required mac address in ABC identity group Administration> Identity management > Groups > Endpoint Identity group > ABC

-Aravind

View solution in original post

ma.alsaffar · ‎10-29-2018

Hi,

why dont you create a profiling group and add the mac address, this will allow you to add multiple mac addresses whenever its needed

Capricorn · ‎10-29-2018

Hi!

The issue with that is let say if I profile for Huwai phones then anyone from outside with that model or vendor can join it as I have open SSID.

Right now I have 10 devices so I can use MAC address as restriction. I know its not sure but thats the best thing I have in mind and quick solution as well.

Thanks

Capricorn · ‎10-29-2018

Right now I just need a Authz rule for

If mac-address in Identity group ABC then allow vlan 20

Aravind Ravichandran · ‎10-29-2018

Hi,

You can create a authz rule like IdentityGroup Name EQUALS Endpoint Identity Groups:ABC then vlan 20.

Then you can add the required mac address in ABC identity group Administration> Identity management > Groups > Endpoint Identity group > ABC

-Aravind

Capricorn · ‎10-29-2018

I tried this kind of option. The problem with this is that if this condition will become true and it will in any case then it will allow the access automatically.

IdentityGroup Name EQUALS Endpoint Identity Groups:ABC

As I see the logic is that if there is matching ABC endpoint group exist then Authorize VLAN. It will not check the MAC address in side.

hslai · ‎10-29-2018

As I see the logic is that if there is matching ABC endpoint group exist then Authorize VLAN. It will not check the MAC address in side.

It does not work that way. The endpoint needs assigned to the endpoint group for the condition to hold true.

Capricorn · ‎10-29-2018

ok. I did test but not sure I did see Auth succesful and then thought it shouldnt be that way. Auth will be a success as the MAC exist as internal endpoint. I am pretty sure you guys have tested it :).

Just need to double check this for AuthZ.

hslai · ‎10-29-2018

... and as that MAC address was authenticated with below policy then it worked for whitelist policy but once is cache is expired then its not working. ...

You might run into either CSCvi73782 or CSCvk55076.